Re: [xacml] F2F Agenda Topics

[rich levinson <rich.levinson@oracle.com>]

Hi Martin,

I agree with your characterization of this use case as an essential capability.
As David described it:

"In an enterprise, policy admin is usually distributed among different
  organizational units, ranging from small workgroups to the
  corporate level.
  For a given decision request, there may be multiple applicable
  policies that are created by different admin authorities.
  These policies may not know the existence of each other, and may
  not be encapsulated in a single policyset.
  We need a broader model for combining algm to resolve conflict
  in this case. "

I submit that the XACML 3.0 Hierarchical Profile has been restructured such
that such use cases are the expected practice. Namely, that multiple hierarchies
can be defined over a common set of resources.
Once the hierarchies are independently defined, then the only issue left is
to "combine the roots" to determine which of the possibly conflicting decisions
will apply.
For example, consider a physical laptop as an enterprise resource. Governance
over this laptop may include several interested parties: the employee who has
been granted use of the laptop; an IT maintenance person who has been
granted authority over allowed configurations on the laptop, etc. The employee
may want to use the laptop for a specific purpose, whereas the facilities manager
may say that is not allowed. This decision may go up several levels of the mgmt
chain and finally reach a point where the eng vp says yes, but the IT vp says no,
and the CEO does not know enough about the problem to render a decision.
Therefore, the next step might be that the eng vp and IT vp are required to
meet and to come up w an appropriate decision.
Situations like this can be addressed by hierarchical profile where there is an
eng hierarchy and an IT hierarchy, where the hierarchy in eng is based on the
org structure, as is the IT hierarchy. The laptops as resources have hierarchical
identifiers for both hierarchies, and independent policies exist for each hierarchy.
When the decisions are in conflict then one can define a top-level PolicySet that
contains the roots of both hierarchies and apply a combining algorithm
appropriate for resolving the decision.
The structure that enables this capability is the "forest", which is a disjoint set
of single-rooted hierarchical trees. When the hierarchies in the forest are combined
over the common set of resources, the structure is known as a "polyarchy".
The XACML 3.0 Hierarchical profile has been updated explicitly to make this
relationship clear and to remove the unnecessary restrictions in 2.0 that limited
the profile to DAGs, which are not appropriate to address this problem.

    Thanks,
    Rich




On 6/17/2011 5:44 PM, Smith, Martin wrote:

1A9AAD9D775C824191A01868212F2A0905445754@ZAU1UG-0312.DHSNET.DS1.DHS" type="cite">

This is a capability we (DHS and others) are very interested in.
Whether it is an XACML standards issue or not is debatable (vs. a
"tools" issue) but I note that a good deal of the overall Security TC
work is based on a unifying architectural model of access control that
is beyond the scope of the SAML or XACML standards themselves. So I hope
we can identify someone to tackle the requirement . . .

Regards,
Martin


Martin F. Smith
Director, National Security Systems
US Department of Homeland Security
NAC 19-204-47
(202) 447-3743 desk
(202) 441-9731 mobile


-----Original Message-----
From: xacml-return-2710-martin.smith=dhs.gov@lists.oasis-open.org
[mailto:xacml-return-2710-martin.smith=dhs.gov@lists.oasis-open.org] On
Behalf Of Tyson, Paul H
Sent: Friday, June 17, 2011 5:35 PM
To: david.choy@emc.com; bill@parducci.net; xacml@lists.oasis-open.org
Subject: RE: [xacml] F2F Agenda Topics

This sounds like a very strange business case, and I don't see how XACML
can help.

It does not appear to be a rational model for policy development if
independent groups are making rules concerning potentially overlapping
instances of subject/resource/action.  That is anarchy, not federation.

And even if some enterprises find it useful to develop policies that
way, the PDP implementation should allow specifying one of the existing
policy-combining algorithms (or a custom one) at the notional "root" of
the policy tree.

Regards,
--Paul

-----Original Message-----
From: david.choy@emc.com [mailto:david.choy@emc.com]
Sent: Friday, June 17, 2011 15:38
To: bill@parducci.net; xacml@lists.oasis-open.org
Subject: RE: [xacml] F2F Agenda Topics

I'd like to add another topic to the agenda list: combining algorithm
for a distributed admin environment.

Currently, combining algm is specified only within a container (a
policy or a policy set). In an enterprise, policy admin is usually
distributed among different organizational units, ranging from small
workgroups to the corporate level. For a given decision request, there
may be multiple applicable policies that are created by different

admin

authorities. These policies may not know the existence of each other,
and may not be encapsulated in a single policyset. We need a broader
model for combining algm to resolve conflict in this case. I'll be

glad

to give an example at the F2F.

David

-----Original Message-----
From: Bill Parducci [mailto:bill@parducci.net]
Sent: Friday, June 17, 2011 6:46 AM
To: XACML TC
Subject: [xacml] F2F Agenda Topics

With the F2f rapidly approaching, we need to start nailing down the
agenda. In the past we have chunked up the discussion topics so that

we

can make sure to cover as many of them as possible, while driving the
largest/most difficult issues to completion as the primary driver. To
that end I would like to propose that we again break the days in half
thus and then dissect from there as needed:

 Tuesday 8-12
 Tuesday 1-5
 Wednesday 8-12
 Wednesday 1-5
 Thursday 8-12

Below is a non-exhaustive list of open issues.

  Attribute Predicate
  BTG
  PIP Directive
  JSON Profile
  Obligation/Advice Combining
  PAP Interface
  RSA Interop
  "Web Friendly" Policy Ids
  "Sticky" Policies
  XACML Metadata Schema

I suggest that we begin by fleshing out this list, then prioritize and
schedule those topics that have the most interest and will have
champions in attendance. My goal is to have a candidate agenda for the
TC call next Thursday so please take a few moments to chime in with
your thoughts.

thanks

b
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php