[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XACML 2.0 Work Items, V1.8
On 21 August, Frank Siebenlist writes: Re: [xacml] XACML 2.0 Work Items, V1.8 > I'm ok with all the items you added my name to, except #26: > > 26. Define policy reduction (partial evaluation) of a policy > > Define a process for reducing a policy based on known > information, leaving only the unresolved predicates. > > STATUS: potential work item. > PROPOSAL: > CHAMPION: Frank Siebenlist? > > I'm not sure what it is about .... is this some sort of optimization or is this > related to wspl's policy combination/reduction? This is related to the Grid requirement for being able to return a decision along with further conditions, where a PDP is unable to fully evaluate the policy due to lack of information. The "conditions" in this case would be the original policy, with all resolved predicates factored out, leaving only a small policy representing the predicates still to be resolved. This will often be a use case when the initiator's system has some of the information, and the resource's system has other information. The two systems trust each other's policy evaluations, but neither system is able to access all the information needed to evaluate the policy. Quick example: assume the Request contains the following: subject-id="Frank" resource-id="file:/net/bigsystem/" action-id="write" and the full policy contains: <Rule Effect="Permit"> <Condition FunctionId="and"> subject-role == "ANL Staff" resource-id == "file:/net/bigsystem/" action-id="write" timeOfDayRangeAtResource="9am-5pm" </Condition> The Requester's PDP might be able to determine that "Frank" has role "ANL Staff", but does not know the time of day at the target resource. So the Requester's PDP evaluates as much as it can, and factors out the predicates that evaluate to "true". The partially evaluated result is: <Rule Effect="Permit"> <Condition FunctionId="and"> timeOfDayRangeAtResource="9am-5pm" </Condition> This "optimized" or "partial policy" would be passed in the Conditions element of the response, and then forwarded to the resource manager for "file:/net/bigsystem/", along with the request. The resource manager does not know that "Frank" has role "ANL Staff", so would not have been able to fully evaluate the original policy, but the resource manager knows its own time of day. So that resource manager sends the little policy above as Conditions on a Request to its own PDP. Its own PDP evaluates that Policy and returns "Permit". [Note that we now have a case where "resource-id" is needed in a request. I believe it should be made optional to handle this case.] Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]