[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] F2F Agenda Topics
Hi Martin, I agree with your characterization of this use case as an essential capability. As David described it: "In an enterprise, policy admin is usually distributed among differentI submit that the XACML 3.0 Hierarchical Profile has been restructured such that such use cases are the expected practice. Namely, that multiple hierarchies can be defined over a common set of resources. Once the hierarchies are independently defined, then the only issue left is to "combine the roots" to determine which of the possibly conflicting decisions will apply. For example, consider a physical laptop as an enterprise resource. Governance over this laptop may include several interested parties: the employee who has been granted use of the laptop; an IT maintenance person who has been granted authority over allowed configurations on the laptop, etc. The employee may want to use the laptop for a specific purpose, whereas the facilities manager may say that is not allowed. This decision may go up several levels of the mgmt chain and finally reach a point where the eng vp says yes, but the IT vp says no, and the CEO does not know enough about the problem to render a decision. Therefore, the next step might be that the eng vp and IT vp are required to meet and to come up w an appropriate decision. Situations like this can be addressed by hierarchical profile where there is an eng hierarchy and an IT hierarchy, where the hierarchy in eng is based on the org structure, as is the IT hierarchy. The laptops as resources have hierarchical identifiers for both hierarchies, and independent policies exist for each hierarchy. When the decisions are in conflict then one can define a top-level PolicySet that contains the roots of both hierarchies and apply a combining algorithm appropriate for resolving the decision. The structure that enables this capability is the "forest", which is a disjoint set of single-rooted hierarchical trees. When the hierarchies in the forest are combined over the common set of resources, the structure is known as a "polyarchy". The XACML 3.0 Hierarchical profile has been updated explicitly to make this relationship clear and to remove the unnecessary restrictions in 2.0 that limited the profile to DAGs, which are not appropriate to address this problem. Thanks, Rich On 6/17/2011 5:44 PM, Smith, Martin wrote: 1A9AAD9D775C824191A01868212F2A0905445754@ZAU1UG-0312.DHSNET.DS1.DHS" type="cite">This is a capability we (DHS and others) are very interested in. Whether it is an XACML standards issue or not is debatable (vs. a "tools" issue) but I note that a good deal of the overall Security TC work is based on a unifying architectural model of access control that is beyond the scope of the SAML or XACML standards themselves. So I hope we can identify someone to tackle the requirement . . . Regards, Martin Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile -----Original Message----- From: xacml-return-2710-martin.smith=dhs.gov@lists.oasis-open.org [mailto:xacml-return-2710-martin.smith=dhs.gov@lists.oasis-open.org] On Behalf Of Tyson, Paul H Sent: Friday, June 17, 2011 5:35 PM To: david.choy@emc.com; bill@parducci.net; xacml@lists.oasis-open.org Subject: RE: [xacml] F2F Agenda Topics This sounds like a very strange business case, and I don't see how XACML can help. It does not appear to be a rational model for policy development if independent groups are making rules concerning potentially overlapping instances of subject/resource/action. That is anarchy, not federation. And even if some enterprises find it useful to develop policies that way, the PDP implementation should allow specifying one of the existing policy-combining algorithms (or a custom one) at the notional "root" of the policy tree. Regards, --Paul-----Original Message----- From: david.choy@emc.com [mailto:david.choy@emc.com] Sent: Friday, June 17, 2011 15:38 To: bill@parducci.net; xacml@lists.oasis-open.org Subject: RE: [xacml] F2F Agenda Topics I'd like to add another topic to the agenda list: combining algorithm for a distributed admin environment. Currently, combining algm is specified only within a container (a policy or a policy set). In an enterprise, policy admin is usually distributed among different organizational units, ranging from small workgroups to the corporate level. For a given decision request, there may be multiple applicable policies that are created by differentadminauthorities. These policies may not know the existence of each other, and may not be encapsulated in a single policyset. We need a broader model for combining algm to resolve conflict in this case. I'll begladto give an example at the F2F. David -----Original Message----- From: Bill Parducci [mailto:bill@parducci.net] Sent: Friday, June 17, 2011 6:46 AM To: XACML TC Subject: [xacml] F2F Agenda Topics With the F2f rapidly approaching, we need to start nailing down the agenda. In the past we have chunked up the discussion topics so thatwecan make sure to cover as many of them as possible, while driving the largest/most difficult issues to completion as the primary driver. To that end I would like to propose that we again break the days in half thus and then dissect from there as needed: Tuesday 8-12 Tuesday 1-5 Wednesday 8-12 Wednesday 1-5 Thursday 8-12 Below is a non-exhaustive list of open issues. Attribute Predicate BTG PIP Directive JSON Profile Obligation/Advice Combining PAP Interface RSA Interop "Web Friendly" Policy Ids "Sticky" Policies XACML Metadata Schema I suggest that we begin by fleshing out this list, then prioritize and schedule those topics that have the most interest and will have champions in attendance. My goal is to have a candidate agenda for the TC call next Thursday so please take a few moments to chime in with your thoughts. thanks b --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]