OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Where does the data come from ?

Steven--

Thanks for the follow-up. I was not intending to question whether or not some data series would be available, but rather just inquiring as to whether, in constructing the profile, had made any background assumptions about how and from where the data would be gathered. You answered that during the call by pointing to the PIP (i.e., that your starting point was there vs. original data sources.) This is entirely reasonable given the scope of the XACML TC; I admit I was thinking about how the relatively complex data models your profile could manipulate might be generated and kept acceptably current by the overall multi-organizational IAM ecosystem.

From that same ecosystem perspective, I'd like to comment on your follow-up explication about how data availability should constrain policy-makers. First, I roughly equate "policy-makers" in your follow-up to "analysts generating queries against the data model in the PIP." Of course queries are limited to what's in the data model. In the short run. In the longer run, if the business need of the analyst's employer can't be satisfied by the available data, then either efforts will be made to add to the available data or the analyst's project will be abandoned. This is as applicable to access-control as it is to breakfast-cereal marketing. In access-control, the requirements of law, regulation, contracts and other sources of info-access policy imply a data model. Of course there may be compromises where a proxy or indicator data element may be an acceptable substitute for an "ideal" datum, but there is a tipping point where the lack of acceptable data makes a whole ABAC project not worth the effort. And I would assert that today the lack of the right (in terms of evidence for policy conformance) data significantly limits the value of implementing ABAC, at least for multi-organizational information sharing use cases and use cases in highly regulated sectors like government and health care.

Again, I realize these considerations are outside the scope of the XACML TC, but until ecosystem issues like attribute data sources are addressed the demand for ABAC systems and XACML-based products will remain constrained.

Regards,

Martin


.     

On Fri, Jun 12, 2015 at 12:31 AM, Steven Legg <steven.legg@viewds.com> wrote:

This isn't a request to update the minutes but rather a followup to Martin's
question.

On 12/06/2015 8:39 AM, Bill Parducci wrote:
Minutes of XACML TC Meeting 28 May 2015
    Martin:
     I reviewed this and was wondering where does the data come from?

An unstated assumption of the Entities Profile is that the data model for
an application comes first. By "data model" I mean a description of the
types of entities that are available and the attributes that they hold.
It could be simple prose as in the opening paragraphs of Section 7.2 of
the profile or it could be as formal as an entity-relationship diagram.
It could be internal documentation for a custom development or written
up in a standardized profile.

For a custom development, the data model needs to be devised with an
understanding of what data are available. A standardization profile can
only be supported if the required data are going to be available.

Once the data model is established, the PEPs, context handler and/or PIPs
can be configured (ideally) or engineered to provide the necessary entities
and attributes from the available data sources.

Finally, the policy writers write their policies in conformance with the
established data model.

There is no expectation that policy writers can use whatever data model
comes to mind and that somehow the context handler and PIPs will know
where to get the necessary data from.

Regards,
Steven

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



--
Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 506-0159
703 389-3224 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]