[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: [xacml] Re: XACML Policy Model]
Colleagues, Bill Parducci suggested that this response describing the formal XACML policy model (not the formal semantics of the language) might be good to add to our TC FAQ. What is the consensus of the group? If we decide to add it, what corrections or improvements should be made? Can we go further and say XACML is basically a 1st order logic language? Regards, Anne -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
--- Begin Message ---
- From: Anne Anderson <Anne.Anderson@sun.com>
- To: Mine Altunay <maltuna@unity.ncsu.edu>
- Date: Thu, 09 Mar 2006 12:03:20 -0500
XACML does not fall neatly into any particular logical category. At the most abstract level, very roughly, an XACML policy is a Boolean combination of predicates, each of which is a functional constraint on the values of a set of variables being evaluated (or on the results of other functional constraints and transformation functions). The standard functional constraints include simple Boolean comparison functions (X > 5, X == "abc"), higher-order functions (all/at least one/... values of X Boolean-function-variable all/at least one/... values in {"abc", "xyz"}, etc.), regular expression matches, type-specific matches (such as matching X500 Distinguished Names), etc. The values used in the constraint functions may themselves be other variables, results of other constraint functions or of various arithmetic and transformation functions (X > (5 + Y), toUpperCase(X) == "ABC"), etc. Users are free to define new functional constraints, but XACML itself does not provide a language for expressing functions: users must describe/implement the semantics of the function and then reference it using a unique identifier. The XACML language itself deals with evaluating parameters to the function and dealing with the results of evaluating the function. The variables used in constraint and other functions can be pointers into XML documents or discrete named variables. XACML's "combining algorithms", used to combine results from sub-policies, can be arbitrarily complex. The standard ones include deny-overrides (roughly Boolean AND) and permit-overrides (roughly Boolean XOR), but users are free to write more complex algorithms that might take into account parameters associated with each sub-policy, for example. The standard combining algorithms are not simple Boolean operators because we need to handle 4 types of values resulting from policy evaluation: true and false, but also "Indeterminate" (error), and "NotApplicable" (the policy or rule does not apply to the supplied set of variables). Perhaps others on the list can elaborate or be more specific (or more correct :-) Regards, Anne Anderson Mine Altunay wrote On 03/09/06 10:52,: > Dear list > Is there a published paper explaining the formal policy model of XACML. > For example, the formal specification of the rules that can be specified > by XACML. > > I have read and worked with Sun's implementation of XACML engine. I am > also fairly familiar with simple policy statements that can be expressed > within XACML. However, my experiece is far from being sufficient to > understand the underlying policy model completely. > > A formal policy model would make it very much easier for me to grasp the > finer points of XACML, and how we can use/enhance XACML for representing > complicated rule sets. > > I have also seen the OASIS Technical Committee for Policy Model. > However, I could not download any of the posted documents due to 404 > errors. I beleve this committee is already closed. I would appreciate to > know if they published reports from this committee somewhere else > > Any help is highly appreciated Best Regards, > Mine Altunay > > Computer Eng Dept > NC State Univ -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]