[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Groups - xacml-3.0-dlp-nac-v1.0-wd07-SL.doc uploaded
Hi John, On 15/07/2014 8:13 AM, Tolbert, John W wrote:
Hi Steven, Thanks for putting this draft together. I like the Subject-Security-Domain attribute name better.
I decided it was a better use of our time if I just showed what I was talking about with a revised draft, rather than further discussion, even if you end up rejecting the approach. Also, please disregard the comment in the normative references section. Earlier versions of XACML can use this profile by putting the subject category in the SubjectCategory XML attribute of the <Subject> element (which is also a supporting argument for defining recipient-machine as a new subject-category).
I do have a question about the flattening of the various “…subject-id” attributes – in a complex request, how would the PDP / Context handler treat multiple subject-id name/value pairs? How would they be associated with access subject vs. recipient subject vs. recipient machine?
From the PDP and context handler perspective, each (category, attribute-id, data-type) combination is a distinctly different XACML attribute. There is nothing special about (attribute-id, data-type) pairs. Two triplets that have the same attribute-id and data-type but different categories are still different, unrelated XACML attributes. Ordinarily I would expect the PEP to supply at least the (access-subject, subject-id, ?), (requesting-machine, subject-id, ?), (recipient-subject, subject-id, ?) and/or (recipient-machine, subject-id, ?) attribute values. The job of the context handler is then to look up the other attributes of these entities using the various subject-id values as keys. How the context handler is configured to do that is implementation specific, but in the case of ViewDS, we configure where the context handler will look for attributes on a per-triplet basis. An implementation with per-triplet configuration could potentially, for example, source (access-subject, *, *) and (recipient-subject, *, *) attributes from an HR LDAP directory using (access-subject, subject-id, ?) and (recipient-subject, subject-id, ?), respectively, as keys. Meanwhile, (requesting-machine, *, *) and (recipient-machine, *, *) attributes could be sourced from a network database using (requesting-machine, subject-id, ?) and (recipient-machine, subject-id, ?), respectively, as keys. The concept of using the same attribute-id across a number of categories is already established in the XACML core specification for subject attributes and subject categories. An implementation could configure its context handler with respect to (attribute-id, data-type) pairs, but it would be limiting its flexibility somewhat with respect to the XACML core specification, let alone the DLP-NAC profile. Regards, Steven
Thanks *From:*xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] *On Behalf Of *Steven Legg *Sent:* Thursday, July 10, 2014 6:20 PM *To:* xacml@lists.oasis-open.org *Subject:* [xacml] Groups - xacml-3.0-dlp-nac-v1.0-wd07-SL.doc uploaded /Submitter's message/ This is an updated and change-marked version of DLP-NAC WD-07 taking into account my suggestions in https://www.oasis-open.org/apps/org/workgroup/xacml/email/archives/201406/msg00029.html. Note the comments for consideration. I trust this is easier to get one's head around. I didn't invoke the entities profile because the use cases presented aren't complex enough to warrant it. -- Dr. Steven Legg *Document Name*: xacml-3.0-dlp-nac-v1.0-wd07-SL.doc <https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=53582> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
*Description* This is an updated and change-marked version of DLP-NAC WD-07 taking into account the suggestions in https://www.oasis-open.org/apps/org/workgroup/xacml/email/archives/201406/msg00029.html . Download Latest Revision <https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/53582/latest/xacml-3.0-dlp-nac-v1.0-wd07-SL.doc> Public Download Link <https://www.oasis-open.org/committees/document.php?document_id=53582&wg_abbrev=xacml> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
*Submitter*: Dr. Steven Legg *Group*: OASIS eXtensible Access Control Markup Language (XACML) TC *Folder*: repository *Date submitted*: 2014-07-10 18:19:36
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]