AW: RE: [xacml] Query filtering and XACML

["Herrmann, Jan" <jan.herrmann@siemens.com>]

Dear all,
Hal you remember pretty right. We used xslt based obligations to perform rewriting of intercepted ws requests. I am on the run but i will provide more details tomorrow.
Br
Jan

Sent from my mobile

-----Original Message-----
From: Hal Lockhart [hal.lockhart@oracle.com]
Received: Donnerstag, 03 Okt. 2013, 20:35
To: Tolbert, John W [john.w.tolbert@boeing.com]
CC: xacml@lists.oasis-open.org [xacml@lists.oasis-open.org]
Subject: RE: [xacml] Query filtering and XACML

I have discussed this idea of query rewriting for both SQL queries and web searches many times, but I am unaware of any implementations of it, even in research prototypes. I am sure there is a PhD Thesis (not to mention a business opportunity) there.

The OGC folks implemented XACML as an interceptor in front of an existing Web Service, and therefore had to deal with issues such as basing the decision on resource attributes the application did not ask for, basing the decision on resource attributes the application is not allowed to see and basing the decision on resource attributes not available via that interface. As I recall they did query rewriting (or perhaps alternate queries) to solve the first problem. This is all from memory, perhaps Jan Herrmann can comment further.

Hal

From: Tolbert, John W [mailto:john.w.tolbert@boeing.com]
Sent: Wednesday, October 02, 2013 4:45 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] Query filtering and XACML

Hello,

I’m forwarding the following questions on behalf of Eli Lilly.  They would like feedback from the TC.  Thanks


CBAC (Content Based Access Control) policies in XACML enable the specification of fine-grained policies for information access. This assumes that the user is requesting specific information for which sufficient metadata exists to adjudicate access rights. Sensitive information may be exposed through a web service or by direct queries to a database. In the case of database queries a user may submit a non-specific request for all information about all people, such as "SELECT * FROM PERSON", which can then be transformed into a more specific query, SELECT <PERMITTED COLUMNS> FROM PERSON WHERE <XACML policy conditions>,  in which the rule conditions of applicable policies are converted into the corresponding SQL filter expressions and inserted into the original query before evaluation on the backend database.  The overall effect of this query rewrite is that the user can ask for all information, but will receive only the information he is entitled to see. When dealing with very large data sets is there any technology for web services (SOAP, OData, or REST) that uses XACML policies to dynamically rewrite the web service request based upon results from the policy evaluation which is analogous to SQL query filters?