[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Question on xacml 2.0 - multiple action-id Request/Actionelements
Hi Craig, I would think, in general, that the Request is intended to be for "read" AND "write", although I do not believe that it is necessary to imply this, since the xacml spec does not address it directly, afaik. However, from a purely logistical plain language point of view, I would assume that this was a Request for a Decision to allow the subject to read and/or write to the resource. All XACML does is answer the question, it does not in general, know "how" the subject is going to use the results of the Decision, so I would assume a conservative Policy would look at the "worst" case scenario and be designed to process that worst case and give maximum protection. i.e. the Policy should assume the Subject will use the Decision to do anything possible based on the contents of the Request. Some systems might be designed so that every Request is a one shot deal where the Subject makes the Request, uses it once, then if the Subject wants to use the Resource again, then the Subject would have to make another Request. Other systems might take more of a "session" perspective and allow the Subject to use the Decision for any number of actions while the presumably "application-controlled session" is still in progress. My understanding is that XACML was designed to be as flexible as possible, and so I do not believe either interpretation in prev paragraph is the "correct" one. I think either is equally as good. But, in any event, the reason for my original question is that it was suggested to me that multiple <Attribute AttributeId="...action:action-id"> elements were not allowed in XACML. That did not sound correct to me technically, based on what I said in the original email, and if I then take the assumption that technically it is allowed, I find nothing particularly wrong with it from a common sense Policy design perspective either. I do want, however, to unambiguously say that it is allowed, so that the people who asked me about it can feel comfortable moving ahead doing design on that basis. So, if there is any restriction somewhere that is normative in nature or would cause anyone to say it is not allowed it would be useful to know. I may even suggest some text to add to the spec to remove any possible ambiguity in this matter. For example, in section 6.3 there is text that to me unambiguously indicates that resource-id can have multiple values in a single Request. Also in the RSA Interop, the HL7 permission-id attribute had multiple instances. I am sure each of these has their own justification, however, the point is that there is no justification to dis-allow any of this behavior, which is the definitive result I am looking to get at here. Thanks, Rich Craig Forster wrote: > Hi all, > > I don't think it's disallowed explicitly, but writing policy to handle it > well would be difficult. > > For example, say the policy has Permit for "read" but no policy allowing > "write" (but not Deny either). The request, IMO, is asking "can I read AND > write this resource?". Should the request be permitted? The policy would > return Permit, even though it really should return NotApplicable. > > The provisions to handle multiple Resources as separate requests are for > this type of scenario. > > Thoughts? > > Regards, > Craig > > --- > craig forster | staff software engineer > ibm australia development labs > > > > > From: Erik Rissanen <erik@axiomatics.com> > > To: "Rich.Levinson" <rich.levinson@oracle.com> > > Cc: xacml <xacml@lists.oasis-open.org> > > Date: 18/09/2008 03:19 > > Subject: Re: [xacml] Question on xacml 2.0 - multiple action-id Request/Action elements > > > > > > > I don't recall anything in the standard which disallows it. Anyone else? > > And I don't see any reason for disallowing it either. > > /Erik > > Rich.Levinson wrote: > >> I have been asked whether a Request/Action element can >> contain more than one <Attribute AttributeId="...action:action-id"> >> element: >> >> For example, what would be wrong with Example 4.1.2 having >> the following: >> >> <Action> >> <Attribute >> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" >> DataType="http://www.w3.org/2001/XMLSchema#string"> >> <AttributeValue>read</AttributeValue> >> <AttributeValue>write</AttributeValue> >> </Attribute> >> </Action> >> >> Apparently, some have the opinion this is not >> allowed. I think that opinion is mistaken, because I have not found >> any reason that this is disallowed. Is there anything that forces >> us to only have one value for action-id? >> >> Thanks, >> Rich >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]