[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Modeling Delegation of Rights in a simplified XACML withHaskell
by this: /* What the model proposes is a delegation of rights model based on the notions that: * each access policy has an issuer associated with it * a policy issuer can indicate whether the permitted rights can be delegated to others or not * a policy issuer can specify the maximum number of delegates in a delegation chain that originates from its policy For a PDP to evaluate an authorization decision based on a request and a set of policies from potentially different issuers, the following PDP-policies have to be defined: * a root issuer (or maybe root issuers) have to be identified who are trusted in an absolute sense * a policy to combine decisions of different delegation depth * a policy to combine decisions that are associated with different issuers */ trying to get my arms around 'absolute sense' here. are you suggesting that there must be an explicit and/or federated issuer hierarchy (policy) defined for each PDP (that spans the domain)? otherwise i am not sure how this would work if two (or more) policies come from a remote server where one of those polices is issued by an author who was delegated rights by the issuer of the other policy (and there is conflict). i don't think that attaching delegation chain information to a policy itself would solve the problem since there could be a case where the issuer relationships may be unrelated to the rights associated with the policy but the PDP may still wish to provide dominance. (the problem i *think* that the "policy to combine decisions that are associated with different issuers" is attempting to address, but i fear could result in combinatorial explosion) take the case of tom and harry each being delegated rights to control access to abc by sue--making them peers WRT the policy itself--but harry is a corporate manager and achieves delegative authority in the case of 'ties'. in other words, i can envision all sorts of weird combinations of non-policy related issues affecting the pecking order. so, in addition to the information proposed with each policy it seems that there should be something that allows for conflict resolution. the only other options i can think of off the top of my head are: 1. that interPDP policy exchanges contain some sort of preamble with an unambiguous issuer hierarchy for that PDP (policy combination implied) or 2. a specific query is defined that allows a PDP to request the relationship between a given number of issuers (aka a 'tiebreaker' query) does this make sense? (without a white board i am more incoherent than usual :o) b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]