[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XACML 2.0 Work Items, V1.8
Hi Anne,
I'm ok with all the items you added my name to, except #26:
26. Define policy reduction (partial evaluation) of a policy
Define a process for reducing a policy based on known
information, leaving only the unresolved predicates.
STATUS: potential work item.
PROPOSAL:
CHAMPION: Frank Siebenlist?
I'm not sure what it is about .... is this some sort of optimization or is this
related to wspl's policy combination/reduction?
-Frank.
Anne Anderson wrote:
> Title: XACML 2.0 Work Items
> Version: 1.8
> Updated: 03/08/21 (yy/mm/dd)
>
> 1. Grid Requirements
>
> Any XACML changes needed to satisfy Grid requirements
>
> STATUS: Abstract Work Item. As specific changes are
> identified, they will become individual work items with
> their own numbers, listed here.
> Current specific work items:
> #2,3,4,16,17,29,30,31,32,33,34,35
> PROPOSAL: Abstract
> CHAMPION: Frank Siebenlist
>
> 2. Location Information
>
> Way to pass location information needed to evaluate a policy.
> Examples of such information are:
> o where to find various Attributes,
> o where Attribute Authorities to be used are located
> o where to find function, combining algorithm, data-type,
> Attribute parsing code
> Such information might be embedded in either of
> a. an XACML Request
> b. an XACML policy
>
> STATUS: potential work item. Related: #1,24.
> PROPOSAL:
> CHAMPION: Daniel Engovatov?
>
> 3. Multiple Actions per Request
>
> Support Requests containing multiple Actions. Response could
> either say "All permitted/denied" or could include a separate
> decision for each.
>
> STATUS: potential work item. Related item#1
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> 4. Multiple Resources per Request
>
> Support Requests containing multiple Resources. Response
> could either say "All permitted/denied" or could include a
> separate decision for each.
>
> STATUS: potential work item. Related item#1
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> 5. Privacy Requirements
>
> Any XACML changes needed to satisfy Privacy requirements.
>
> STATUS: Abstract Work Item. As specific changes are
> identified, they will become individual work items with
> their own numbers, listed here.
> PROPOSAL: ABSTRACT
> CHAMPION: ?
>
> 6. Domain-specific identifiers
>
> Define a set of domain-specific identifiers based on
> application usage of XACML.
>
> STATUS: Postponed from 1.1.
> PROPOSAL:
> CHAMPION: Michiharu Kudo
>
> 7. ConditionReference
>
> Allow a Rule to contain a ConditionReference element as an
> alternative to a Condition element. The ConditionReference
> would identify a Condition element specified elsewhere. An
> optional ConditionId attribute would be added to the Condition
> element to support this.
>
> STATUS: Postponed from 1.1.
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200304/msg00039.html
> CHAMPION: Michiharu Kudo
>
> 8. RuleIdReference
>
> Define RuleIdReference analogous to PolicyIdReference and
> PolicySetIdReference.
>
> STATUS: Postponed from 1.1. Related item #19.
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200305/msg00004.html
> CHAMPION: Michiharu Kudo?
>
> 9. Hierarchical entities
>
> How to express policies and requests that apply to a hierarchy
> of subjects, resources, or actions.
>
> STATUS: Postponed from 1.1. Related item#25.
> PROPOSALS:
> http://lists.oasis-open.org/archives/xacml/200304/msg00057.html
> http://lists.oasis-open.org/archives/xacml/200305/msg00009.html
> CHAMPION: Simon Godik
>
> 10. Parameters for Combining Algorithms
>
> Support an element or attribute in a PolicySet, Policy, or Rule
> that provides parameters to be used by a Combining Algorithm
> that is combining the PolicySet, Policy, or Rule.
>
> STATUS: Postponed from 1.1.
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200305/msg00014.html
> CHAMPION: Michiharu Kudo
>
> 11. XACML Extension Points
>
> Define schema extension points for XACML. This work item
> might solve the requirements driving several other work
> items.
>
> STATUS: potential work item.
> PROPOSAL:
> CHAMPION: Simon Godik
>
> 12. Environment Element in Target
>
> Allow the Target Element to include an Environment element,
> just as it now includes Subject, Resource, and Action
> elements.
>
> STATUS: Postponed from 1.1.
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200305/msg00012.html
> CHAMPION: Michiharu Kudo
>
> 13. Optional Target Elements
>
> Make Subjects, Resources, Actions elements optional in a
> Target. Missing element has same semantics as <Any.../>
> Make Target itself optional. Missing element has same
> semantics as a Target containing <AnySubject/>,
> <AnyResource/>, <AnyAction/>.
>
> STATUS: potential work item.
> PROPOSAL:
> CHAMPION: ?
>
> 14. Signature envelope requirements
>
> Any new XACML work items to meet requirements for signature
> envelopes around an XACML schema instance, such as including
> an XACML Policy or Request in a signed SAML Assertion.
>
> STATUS: Abstract Work Item. As specific changes are
> identified, they will become individual work items with
> their own numbers, listed here.
> PROPOSAL: ABSTRACT
> CHAMPION: ?
>
> 15. Encrypted XACML schema instance requirements
>
> Any new XACML work items to meet requirements for encrypted
> XACML Policy or Context schema instances.
>
> STATUS: Abstract Work Item. As specific changes are
> identified, they will become individual work items with
> their own numbers, listed here.
> PROPOSAL: ABSTRACT
> CHAMPION: ABSTRACT
>
> 16. XACML Policy in SAML Response Conditions
>
> Profile uses of XACML Policy instances as a syntax for
> specifying Conditions in a SAML Response.
>
> STATUS: potential work item. Related to item#1.
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> 17. XACML Policy in SAML Request Conditions
>
> Profile use of SAML Conditions element as a way for a PEP to
> pass an XACML Policy to be used by the PDP in evaluating the
> Request.
>
> STATUS: potential work item. Related item#30,1.
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> 18. Obligations in Rules
>
> Allow Rule to contain Obligations.
>
> STATUS: postponed from 1.1
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200305/msg00011.html
> CHAMPION: Michiharu Kudo
>
> 19. Rule as lowest administrative unit
>
> Allow a Rule to be the lowest administrative unit for XACML.
> Probably required to support RuleIdReference.
>
> STATUS: potential work item. Related item #8.
> PROPOSAL:
> CHAMPION: Michiharu Kudo?
>
> 20. Non-normative XACML interpretation guide
>
> Rationale, examples, possible implementation models; general
> information that would help XACML users know the intent of the
> XACML TC for the use of XACML elements.
>
> STATUS: potential work item. Probably parallel to XACML 2.0.
> PROPOSAL:
>
> 21. Non-normative XACML Primer
>
> Primer for XACML usage.
>
> STATUS: potential work item. Probably parallel to XACML 2.0.
> PROPOSAL:
> CHAMPION: ?
>
> 22. time-in-range function
>
> Provide a function for comparing that a time of day is between
> two other times of day.
>
> STATUS: potential work item.
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200307/msg00044.html
> CHAMPION: Seth Proctor
>
> 23. Use XQuery comparison functions for date, time, dateTime
>
> Allow date, time, and dateTime functions to handle comparing a
> value with no time zone with a value with a time zone.
>
> STATUS: potential work item
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200307/msg00044.html
> CHAMPION: Seth Proctor
>
> 24. Define a schema for function declarations
>
> Define a schema for declaring the signature of a function.
> Probably needed with #2 if #2 includes finding parsing and
> evaluation code for new FunctionIds.
>
> STATUS: potential work item. Related: #2.
> PROPOSAL:
> CHAMPION: Daniel Engovatov
>
> 25. Function for comparing file system pathnames.
>
> Define a function for specifying and comparing file system
> pathnames used in resource-id. Possibly new DataType also.
>
> STATUS: potential work item. Related item#9.
> PROPOSAL:
> CHAMPION: Anne Anderson
>
> 26. Define policy reduction (partial evaluation) of a policy
>
> Define a process for reducing a policy based on known
> information, leaving only the unresolved predicates.
>
> STATUS: potential work item.
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> 27. Version number element or attribute in an XACML policy.
>
> Some way of indicating the version of a policy having a
> particular XACML policy id, and a way of placing version
> constraints on a policy reference.
>
> STATUS: potential work item.
> PROPOSAL:
> CHAMPION: Seth Proctor
>
> 28. Define "current time/date/dateTime" during policy evaluation
>
> Specify whether time/date/dateTime are constant over a
> policy evaluation.
>
> STATUS: potential work item.
> PROPOSAL:
> http://lists.oasis-open.org/archives/xacml/200308/msg00006.html
> CHAMPION: Seth Proctor
>
> 29. Policy Authority Delegation
>
> The ability to associate a PDP with a particular target
> domain, and not just with a particular target subject,
> resource, and action.
>
> STATUS: potential work item. Related item#1.
> PROPOSAL: #1 in:
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 30. Passing of explicit policy in the Authorization Decision Query
>
> This is the same as #17, except that it is more general
> (i.e. policy from PEP not necessarily passed in SAML
> Conditions), and also explicitly states that the authority to
> specify the policy to use has been delegated to the PEP.
>
> STATUS: potential work item. Related item#17,1
> PROPOSAL: #2 in
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 31. Attribute Issuer as Subject
>
> The current attribute issuer type is a string. This
> restriction doesn't allow one to easily point at an issuer as
> Subject, and it doesn't allow for any path validation that
> goes more than one level deep. By allowing an attribute issuer
> of type subject, one could cater for more complex use-cases
> that involve policy delegation.
>
> STATUS: potential work item. Related item#1
> PROPOSAL: #3 in
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 32. Standardize naming to specify rules for requestor's authz policy
>
> Provide way to specify whether the requestor's policy allows the service
> provider to service the request, possibly by defining
> "provider-subject" SubjectCategory.
>
> STATUS: potential work item. Related item#1
> PROPOSAL: #4 in
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 33. XACML wsdl/porttype definition for <Req>/<Resp> exchange
>
> Abstract the decision request and response messages between
> the context handler and the PDP into a wsdl/porttype
> definition.
>
> STATUS: potential work item. Related item#1
> PROPOSAL: #5 in
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 34. porttype/operations to ask for required attributes
>
> Allow a requester to query the resource's authorization policy
> for the required attributes for a Target such that it "knows"
> which one are missing and would have to be retrieved and
> presented with any request.
>
> STATUS: potential work item. Related item#1
> PROPOSAL: #6 in
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 35. Policy on revealing missing attributes
>
> The returning of the missing attribute info is sensitive
> information and should itself be subject to policy.
>
> STATUS: potential work item. Related item#1
> PROPOSAL: #7 in
> http://lists.oasis-open.org/archives/xacml/200308/msg00008.html
> CHAMPION: Frank Siebenlist
>
> 36. Check for requester authorized to ask for authz decision
>
> The PDP should check whether the requester, i.e. subject associated
> with the context handler, is allowed to ask for the authorization
> decision. We need to be able to state this in a policy statement,
> and describe the correct operating procedure.
>
> STATUS: potential work item. Related item#1
> PROPOSAL:
> CHAMPION: Frank Siebenlist
>
> 37. Multiple <AttributeValue> elements for single <Attribute> in Request
>
> Allow
> <Attribute ID=X>
> <AttributeValue>A</AttributeValue>
> <AttributeValue>B</AttributeValue>
> <AttributeValue>C</AttributeValue>
> </Attribute>
> as shorthand for
> <Attribute ID=X>
> <AttributeValue>A</AttributeValue>
> </Attribute>
> <Attribute ID=X>
> <AttributeValue>A</AttributeValue>
> </Attribute>
> <Attribute ID=X>
> <AttributeValue>A</AttributeValue>
> </Attribute>
>
> STATUS: Potential work item. Related item#1
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> 38. Policies for the Administration of XACML Policies
>
> XACML defines a language to express policies about access to
> resources. But it is also desirable to create policies about
> the creation, modification and deletion of XACML policies. In
> a sense XACML already allows this, since XACML policies are
> agnostic to the semantics of the resources being
> protected. However, it is very desirable for administrative
> policies to specify not the "name" of policies being
> administered, but their "content."
>
> STATUS: Potential work item.
> PROPOSAL: http://lists.oasis-open.org/archives/xacml/200308/msg00050.html
> CHAMPION: Hal Lockhart
>
> Anne Anderson
--
Frank Siebenlist franks@mcs.anl.gov
The Globus Project - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]