OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Attribute predicate profile for SAML and XACML


Hi Ray,

As discussed during the last call, I think the answer to your question is yes, if I correctly understand authorization-based access control (ZBAC) correctly as follows. A user from domain A wants to access a resource hosted in domain B. In classical attribute-based access control (ABAC), domain B fetches the user's attributes from domain A and checks whether the policy associated to the resource is satisfied. In ZBAC, it is domain A that checks whether the user's attributes satisfy the policy. Our attribute predicate profile could indeed be used by domain B to send the policy (predicate) to domain A, who evaluates the predicate and certifies to B whether it holds or not.

There are two points in the approach that I don't quite understand though, which may mean that my above understanding is incorrect:
  • How is the resource's access policy, which is probably authored by domain B, communicated to domain A?
  • The summary of [1] mentions that "ABAC requires agreement on the meaning of attributes, and the implications of changing a user’s attributes are not clear. ZBAC addresses those problems while requiring few changes to the underlying system."
    In our profile, both sides still have to agree on AttributeIds to understand which predicate they're talking about. I do not see how ZBAC could avoid such agreement, however.
Best,
Greg

On 4/29/2011 10:24, remon.sinnema@emc.com wrote:
Gregory & Franz-Stefan,

Could this profile also be used to implement ZBAC [1]?

[1] http://www.hpl.hp.com/techreports/2009/HPL-2009-30.pdf

Thanks,
Ray


-----Original Message-----
From: Gregory Neven [mailto:nev@zurich.ibm.com]
Sent: Wednesday, March 23, 2011 10:25 AM
To: xacml@lists.oasis-open.org
Subject: [xacml] Attribute predicate profile for SAML and XACML

Dear all,

Please find attached a first draft of the attribute predicate profile
that we've been discussing during the telephone conferences. Looking
forward to your feedback!

Best regards,
Gregory and Franz-Stefan
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]