Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?

[David Brossard <david.brossard@axiomatics.com>]

Hi Martin,

In Axiomatics deployments, attributes (metadata) largely come from databases. The PDP uses PIPs to retrieve those attributes via SQL calls. For instance:

• Policy: doctors can view a medical record if the record's assigned physician == the requestor id.
• Attributes used
• requestor id - provided by the PEP
• medical record id - provided by the PEP
• action id - provided by the PEP
• medical record assigned physician - retrieved from the record database using SELECT assignedPhysician FROM records WHERE recordId = ?

That is one of the most common ways.

Another option - specific to Windows Server 2012 - is to have the attribute metadata directly assigned to the documents (files / folders) as  classification information. MS Windows allows for that. There's a video here that explains how that works.

Hope this helps,

David.

On Wed, Nov 11, 2015 at 9:52 PM, Martin Smith <bfc.mclean@gmail.com> wrote:

My question is: in current practice today with current deployed products, how are resource metadata bound to resources (documents, etc.)  Interested in access-control related resource attributes of course (vs search, etc metadata.)  Also, how do PDP's (or PIP's) find these attributes? 

Thanks,

Martin

--

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

703 506-0159

703 389-3224 mobile

--

David Brossard
VP of Customer Relations
+46(0)760 25 85 75

+1 312 774-9163

+1 502 922 6538
Axiomatics AB
Västmannagatan 4
S-111 24 Stockholm, Sweden

Support: https://support.axiomatics.com 
Web: http://www.axiomatics.com

Axiomatics for developers: http://developers.axiomatics.com

Connect with us on LinkedIn | Twitter | Google + | Facebook | YouTube