OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Proposed XACML 2.0 Work Item - Policy Administration

I thought I would propose a new work item and at the same time debug Anne's
proposed format.

I am looking for early input on whether this is worth doing and if it is
reasonable to attempt. It is likely to be a lot of work.

Hal
-----------------------------------------
<number>: Policies for the Administration of XACML Policies

XACML defines a language to express policies about access to resources. But
it is also desirable to create policies about the creation, modification and
deletion of XACML policies. In a sense XACML already allows this, since
XACML policies are agnostic to the semantics of the resources being
protected. However, it is very desirable for administrative policies to
specify not the "name" of policies being administered, but their "content."


MOTIVATING USE-CASE AND REQUIREMENT

There are a number of use cases which motivate this item:
1. Control policy administration in a standardized way
2. Delegate administration in distributed environment
3. In rights management context control licensing and redistribution.

This is definitely new functionality.


SUMMARY OF OPEN ISSUES

Issues include:

1. How to specify scope of policies that admin policy applies to
2. Infinite regress problem
3. How many layers of indirection?
4. Bootstrap problem / how to avoid lock out.
5. How to express request properties vs. scope properties, e.g. SUbject
making request, vs. Subjct of policy being modified.

PROPOSED SOLUTION <# if more than one>

  [A high-level description of a proposed solution or change that
   is still actively under consideration by members of the TC.]

DETAILED SOLUTION

  [Actual text and schema changes or additions, referencing line
   numbers in the XACML 1.1 PDF Specification, required to
   express this solution in the 2.0 specification.

   This may be in the form of edits to the source XACML 1.1
   Specification, attached to the e-mail containing the
   Proposal.

   Don't bother with this until the SUMMARY indicates there are
   no issues that remain to be resolved, and there is consensus
   on one PROPOSED SOLUTION above.]

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]