[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Modeling Delegation of Rights in a simplified XACML with Haskell
Frank - Let me see if I've got this right ... 1. An XACML policy has an identified issuer. 2. Whether or not a subject is permitted to issue a policy can be stated as an XACML policy (I'll call this an intermediate policy), which (in turn) has an identified issuer. The issuer of a policy is treated as the subject in its immediate "upstream" policy. So a chain is formed. Valid chains terminate with the PDP. 3. The subject of an intermediate policy can be identified by name or by any other attribute. 4. The immediate downstream policy in a chain can be identified by name or by its contents using our ResourceAttributeDesignator and ResourceAttributeSelector mechanisms. 5. A combining algorithm will specify how the decisions from each of the policies in a chain are to be combined to produce the ultimate access decision. Obviously, there are other subtleties. But, I wanted to be sure I had this coarse level correct before delving further. Is an action specified in an intermediate policy? What about delegated attributes? Is this outside the scope of your proposal? Don't we need to solve this, too? All the best. Tim. -----Original Message----- From: Frank Siebenlist [mailto:franks@mcs.anl.gov] Sent: Tuesday, November 18, 2003 2:12 AM To: XACML TC Subject: [xacml] Modeling Delegation of Rights in a simplified XACML with Haskell Dear colleagues, At the last F2F, we had extensive discussions about how delegation of rights and the associated admin of policy could be implemented in xacml. At the very end of the F2F, we concluded that it was best to come up with a more "formal" way of describing the different ideas, such that it is easier to reason about and to discuss the underlying model. After Polar came out with his "The Formal Semantics of XACML" paper, he convinced me that the use of a pure functional language may be a good way to explain and discuss new xacml language features, like delegation. So, I started to model a subset of xacml in haskell, and to see how delegation schemes would be rendered in that environment. You can find the current snapshot of that work at: http://www-unix.mcs.anl.gov/~franks/haskell/XacmlDelegationHaskell0.html I realize that most of you are new to haskell, but my hope is that because I myself am a haskell novice also, that I could pull some of you along the same learning curve that is reflected in the document. I've tried to add complexity to the model gradually in stages as I was trying to get my mind around the problem. So, if your mind works a little like mine, you may be able to learn with me. If your have a normal mind, then you may be out of luck ;-) Please note that nothing is set in stone, there are still some issues to work out, and suggestions and comments are most welcome. Enjoy, Frank. -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p hp.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]