From: rich levinson [mailto:rich.levinson@oracle.com]
Sent: Tuesday, July 23, 2013 1:14 PM
To: Mohammad Jafari
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] subject categories
Hi Mohammad,
I am not sure I understand the full extent of your question w/o more context
as to what you are trying to achieve.
However, it does seem to me that the defns in the core spec, which were also
in the 2.0 spec seem fairly obvious, so possibly you missed it in section B.2,
lines 5183-5200:
"Attributes previously placed in the Subject section of a request are placed in an attribute category 5183 which is identical of the subject category in XACML 2.0, as defined below. It is RECOMMENDED that 5184 they are used to list attributes
of subjects when authoring XACML 3.0 policies or requests. 5185
This identifier indicates the system entity that initiated the access request.
That is, the initial entity in a request chain.
If subject category is not specified in XACML 2.0, this is the default translation value.
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
This identifier indicates the system entity that will receive the results of the request
(used when it is distinct from the access-subject). 5190
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject
This identifier indicates a system entity through which the access request was passed.
urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject
This identifier indicates a system entity associated with a local or remote codebase
that generated the request.
Corresponding subject attributes might include the URL from which it was loaded
and/or the identity of the code-signer.
urn:oasis:names:tc:xacml:1.0:subject-category:codebase
This identifier indicates a system entity associated with the computer that initiated the access request. 5198
An example would be an IPsec identity. 5199
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"
Note that the language in the defns uses the term "system entity" to describe these
different "categories" of subject. This should be taken to mean a distinct "entity",
whether it be a human actor or a physical machine.
Personally, I interpret "category" to mean a type of object, which probably could
be characterized semantically by its own set of allowable attributes. Basically,
I consider the "category", a collection of attributes w some enterprise or organization
semantic meaning, as in this collection of attributes are about "something" where
"something" is the business or system or organization "entity" that warrants
being described by this particular collection of attributes. (Please pardon the
verbose abstraction language I am using as it is intended to be generic and
not assuming any particular concrete representation wrt "entities".)
So, I think the original xacml authors were not trying to specify
exactly what the different subject subcategories were actually
about, but just giving an indication of a suggested way in which
they could be used to characterize entities in the overall network
that might be of interest for particular security use cases.
Hope this helps,
Thanks,
Rich
On 7/22/2013 11:09 PM, Mohammad Jafari wrote:
Hello,
As we are trying to update the XSPA XACML profiles, one of the tasks is to support XACML version 3. I noticed that for “subject” attributes, there are now 4 different categories defined in the core. The mandatory category:
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
and the optional categories:
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject
urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine
But the core does not provide any definition or discussion about the differences between these categories. I was wondering if anyone can comment about the differences or refer me to a definition so that we can make a better decision on
which category to use for which attributes.
Thanks.
Regards,
Mohammad
--
Thanks, Rich
Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle
is committed to developing practices and products that help protect the environment