OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] RE: Question re: XACML PEP

Yes it does.

 

Technically it is a PIP (Policy Information Point) which fetches the attributes. It may be located in the same process as the PEP, the PDP or somewhere else.

 

Non-the-less, a privileged process which can read all the resources is required. Cases of this kind often occur as the access control becomes more fine grained. It may be necessary to access the resource to determine if an access request should be allowed. A good example is a proxy/interceptor architecture such as used by the GeoXACML implementation. It sits in front of a SQL database and may rewrite SQL queries to fetch attributes not requested by the application, but needed for policy evaluation.

 

Hal

 

From: Hayes, Crystal L [mailto:Crystal.L.Hayes@boeing.com]
Sent: Friday, March 13, 2015 6:13 PM
To: Hill, Richard C; xacml@lists.oasis-open.org
Cc: Smith, Gregory L
Subject: [xacml] RE: Question re: XACML PEP

 

Does the PEP have to open the target document in order to extract the metadata?

 

Thanks!

Crystal

 

From: Hill, Richard C
Sent: Friday, March 13, 2015 3:12 PM
To: Hayes, Crystal L; xacml@lists.oasis-open.org
Cc: Smith, Gregory L
Subject: RE: Question re: XACML PEP

 

Hi Crystal,

 

In that demonstration the Boeing CIPHER tool searched and classified the document based on the information it contained (e.g. proprietary markings) and store an XACML attribute in the properties of the document (e.g. “urn:oasis:names:tc:xacml:3.0:ipc:resource:proprietary” with a value of “true”). A PEP would need to extract that information from the document and send it in an XACML request to a PDP to render a decision based on an XACML policy. I know Nextlabs provides a PEP that can do this. Other XACML product companies may also provide PEPs with this capability too.

 

Richard Hill

 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Hayes, Crystal L
Sent: Friday, March 13, 2015 11:31 AM
To: xacml@lists.oasis-open.org
Cc: Smith, Gregory L
Subject: [xacml] Question re: XACML PEP

 

Hello Group,

 

Can any of you please tell me how, in our 2012 RSA demonstration of the XACML IP Profile, how the Policy Enforcement Point (PEP) was able to read resource metadata, to make an access control decision?  Was the resource file actually being opened in order to read the metadata?   How is the metadata visible to the PEP?

 

Thanks so much!

 

Crystal Hayes, CCEP
Boeing Intellectual Property Management
(206) 713-2928 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]