[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Minor XACML Spec errata and resource labels
XACML as a language and as semantics for use by a Policy Decision Point is at a separate "layer" from the representation of various attributes in various systems. XACML expects each AttributeId to correspond to some "attribute" of an object, but XACML itself does not specify that correspondence, how the attribute is retrieved, or from where the attribute is retrieved. If you want to associate an attribute to be used by XACML with a resource, and you are free to define the format of that attribute, the most straightforward correspondence would be to define the attribute in the form of an XACML Request Attribute (xs:complexType name="AttributeType" defined in XACML Context). For example, you would specify a resource label consisting of the classification scheme "U.S. Navy Document Classification Scheme" with value "top secret" as <Attribute AttributeId="U.S. Navy Document Classification Scheme" DataType="...#string"> <AttributeValue>top secret</AttributeValue> </Attribute> and a representation of this would be stored in some attribute repository in association with the resource to which it applies. Even when using this definition, however, the XACML PDP (or its associated "Attribute Finder") must know that this is the representation being used, how to locate the attributes associated with a particular resource, and how to retrieve those attributes. I do not see how associating a PolicySet with each resource solves your problem. Such a PolicySet might specify the policy for which user attributes are required to access the resource (e.g. which "clearance level" attributes and values), but this does not define a "resource label". Can you give an example of what you are thinking of doing? Anne Anderson On 21 April, Jeff writes: RE: Minor XACML Spec errata and resource labels > Yes, classification schemes/values are good. Clearly, it is > essential that, in such cases, classification schemes/values > be made part of a PolicySet (as an "Attribute" of the > Resource, as you suggest). > > My understanding is that a PolicySet is a relatively stable > XML document that will be used by software like a PDP. My > point is that the resource ITSELF (the thing being protected > not its reference in a PolicySet) needs to carry a label. > > Consider individual resources such as files on a hard disk: > there would typically be very many files each with their own > INDIVIDUAL classification scheme/value. Hence, for complete > interoperability between disparate XACML systems there needs > to be a standard way of describing the classification > scheme/value that applies to each individual file. Now, I know > that what's important here is the Request and that > classification schemes/values for individual files will be > carried by the Request but I'm thinking of providing a generic > implementation and I would like a way of labeling files that > follows an XACML standard. > > I'm inclined to think that individual instances of PolicySet > objects could be used to label each 'resource thing' but I > don't think that this is the intended use for PolicySets and I > was wondering if you had a better suggestion or could sanction > such a use of PolicySets! > > -----Original Message----- > From: Anne Anderson [mailto:Anne.Anderson@Sun.com] > Sent: Monday, April 21, 2003 11:06 AM > To: jeff@cogentlogic.com > Cc: XACML TC > Subject: Re: Minor XACML Spec errata and resource labels > .... > I assume, by "resource label", you mean a classification scheme > and a classification value, such as "U.S. Navy Classification > System XYZ" "top secret". This could be expressed in XACML as an > "Attribute" of the Resource. The AttributeId could be a URN > indicating the classification scheme, and the AttributeValue > could be the classification value. > > Does this satisfy your requirements? > > Anne Anderson > > On 19 April, Jeff writes: Minor XACML Spec errata and resource labels > > From: "Jeff" <jeff@cogentlogic.com> > > To: <Anne.Anderson@sun.com> > > Subject: Minor XACML Spec errata and resource labels > > Date: Sat, 19 Apr 2003 17:02:54 -0400 > .... > > I don't see anything in XACML relating to resource labels > > (in fact the word label doesn't appear at all in > > oasis-####-xacml-1.0.pdf!). Resource labels are part of the > > authorization support in the X.509 standard and are used in > > several RBAC implementations. Resource labels are useful in > > enabling resource characteristics (i) to be set on > > resources and (ii) to form part of access control > > decisions. I feel sure that you must be aware of this and > > can only conclude that a PolicySet is intended to act as a > > resource label (in addition to acting as a policy set!). Is > > this correct? -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]