Re: [xacml] FW: some little questions

[Erik Rissanen <erik@axiomatics.com>]

Jan,

I was involved in the design of the administration profile. It is as Hal 
says that it is difficult to provide access control using XACML/CRUD if 
one wants to restrict the scope of administrative rights. It might be 
possible to implement XACML/CRUD, but I have found it to be difficult 
understand the safety of these kind of models. Academic research has 
shown that many (most?) protection models are undecidable. It would be 
an interesting research question to study whether it would be possible 
to design an XACML/CRUD model with certain limitations which makes it safe.

And the main reason why reduction is an policy decision time process 
instead of a administration time process is that in general it is very 
difficult to implement comparison of two XACML policies to implement the 
restriction of policy scope feature. With an administration time process 
it would be necessary to compare two XACML policies to check whether one 
of them is a subset of another in their scope. At decision time it is a 
simple matter of simply evaluating both policies and checking that they 
both say permit, by which the end result is that administrative scope is 
restricted.

In some cases the delegation model might be overkill. If you have a 
bunch of trusted administrators who should be allowed to do anything, it 
could be simpler to use XACML or any simple access control list to 
control access there.

Another simple approach to separate administrative scope is to use 
entirely separate PDP instances which are used for different resources.

Best regards,
Erik



Harold Lockhart wrote:
> Perhaps I gave the wrong impression about protecting a policy repository.
>  
> During the discussons which led to XACML 3.0 it was pointed out that 
> with XACML 2.0 (or any version really) you can protect operations such 
> as CRUD on a repository. However this approach would not let you 
> control the scope of capabilities of a person editing policies.
>  
> I suppose we could have consider using XPATH functions to introspect 
> policy contents, but I think the result would have made it very hard 
> to understand the intent of administrative policies.
>  
> For whatever reasons this approach was not seriously considered and 
> instead we chose the scheme you see in the Admin Profile.
>  
> Influenced by the requirement to be allowed to provide policies along 
> with the request, we formulated Reduction as a policy decision time 
> process instead of an administration time process. Since the current 
> scheme allows access policies and their enabling administrative 
> polices to reference distinct attributes, there is no good way to 
> determine if an access policy is in force, except in the context of a 
> particular decision.
>  
> Hal
>
>     -----Original Message-----
>     *From:* Harold Lockhart
>     *Sent:* Thursday, July 16, 2009 10:20 AM
>     *To:* xacml@lists.oasis-open.org
>     *Subject:* [xacml] FW: some little questions
>
>      
>     -----Original Message-----
>     *From:* Jan Herrmann [mailto:herrmanj@in.tum.de]
>     *Sent:* Thursday, July 16, 2009 8:43 AM
>     *To:* Harold Lockhart
>     *Subject:* some little questions
>
>     Hello Hal,
>
>     I modified the slides from the Boston meeting a little bit to
>     focus the things that might be of interest for your group.
>
>     Now I am wondering how you usually do presentations during your
>     telecons. Are you using google docs or special tools like team viewer?
>
>     Another question: In Boston you mentioned that a couple of years
>     ago the XACML TC discussed how to administrate XACML policies. You
>     mentioned that using XACML itself to do control access to a PAP
>     Web Service was rejected and instead the mechanism described in
>     the new delegation profile was preferred. Are their any internal
>     documents talking about the reasoning behind this decision?
>
>     Talk to you later.
>
>     greets
>
>     jan
>
>      
>
>     ________________________________________
>
>     Jan Herrmann
>     Dipl.-Inform., Dipl.-Geogr. 
>
>     wissenschaftlicher Mitarbeiter
>
>     Technische Universität München
>     Institut für Informatik
>
>     Lehrstuhl für Angewandte Informatik / Kooperative Systeme
>
>     Boltzmannstr. 3
>     85748 Garching
>
>     Tel:      +49 (0)89 289-18692
>     Fax:     +49 (0)89 289-18657
>     www11.informatik.tu-muenchen.de
>     <outbind://8-00000000E95EB49608892D41BB762B4A0356A3FD844D2000/www11.informatik.tu-muenchen.de>
>     ________________________________________
>
>      
>