RE: [dipal-discuss] Re: Request for example Assertions

["Paul OConnor" <poconnor@e-brilliance.com>]

Thanks, Anne. This is quite clear.

Just to take the use case to its logical conclusion, can we consider the
case where the user attributes are not local, but instead result from a
trust relationship? I assume this would entail using an attribute
selector against an external trust attribute authority...perhaps located
at the caller itself. In this case, we can calculate policy
intersections with newly trusted clients...a prime use for fine-grained
policy in most enterprises...more so than static interactions.

Also, does there need to be a real-world XMLSchema adopted to support
use case semantics, i.e., a trading language to express the operation
and results?

Thanks,
Paul

> -----Original Message-----
> From: Anne Anderson [mailto:Anne.Anderson@sun.com]
> Sent: Tuesday, January 24, 2006 5:28 PM
> To: Paul OConnor
> Cc: dipal-discuss@lists.oasis-open.org
> Subject: Re: [dipal-discuss] Re: Request for example Assertions
> 
> Hi Paul,
> 
> The policy below contains most of what you are asking for; I have not
> run the syntax through an XML parser, so I may have made some errors,
> but the general idea should be clear.
> 
> It assumes that the policy engine's Context Handler knows how to
> associate attributes from the firm's identity store with various XACML
> AttributeIds.  Alternatively, we could define an XML schema into which
> those values are mapped, and then instead of xacml:AttributeDesignator
> we could use xacml:AttributeSelector with XPath expressions pointing
to
> the identity store variables on which constraints are being placed.
> 
> I did not enter Assertions for type of trade or equity being traded
> because there are no conditions associated with those.  It would be
easy
> to add Assertions similar to those shown however to say things like
> "type of trade must be X" or "equity being traded must be A, B, or C",
etc.
> 
> Regards,
> Anne
> 
> Paul OConnor wrote On 01/18/06 23:38,:
> > I wonder how access control assertions and policy can be expressed
and
> > so I would propose the following very common use case in financial
> > services applications:
> >
> >
> >
> > An equities trading service enforces access control policy which
> > leverages subject attributes from the firms identity store:
> >
> >
> >
> > User role (trader, manager, etc.)
> >
> > Trade limit (max trade without additional approval)
> >
> > Trading hours (can trade after hours?)
> >
> > Trade location (can trade from home or office only)
> >
> >
> >
> > Along with context variables:
> >
> >
> >
> > Amount of trade
> >
> > Type of trade
> >
> > Equity being traded
> >
> > Additional approval flag
> >
> >
> >
> > These attributes must be asserted by the client making the request,
> > e.g., a trade portal. The policy enforcement infrastructure would
then
> > calculate a policy decision before the service was ever invoked.
> 
> <!ENTITY xf "urn:oasis:names:tc:xacml:1.0:function:"/>
> <!ENTITY xdt "http://www.w3.org/2001/XMLSchema#"/>
> <!ENTITY role-attr "urn:oasis:names:tc:xacml:2.0:subject:role"/>
> <!ENTITY current-time
> "urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
> 
> <wsp:Policy
>   xmlns="...WS-Policy..."
>   xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
> 
>   <wsp:All>
>     <!-- roles must include "some:namespace:roles:trader" -->
>     <xacml:Apply FunctionId="&xf;anyURI-is-in">
>        <xacml:AttributeValue
>
DataType="&xf;anyURI">some:namespace:roles:trader</xacml:AttributeValue>
>        <xacml:SubjectAttributeDesignator
>      AttributeId="&role-attr;" DataType="&xdt;anyURI"/>
>     </xacml:Apply>
> 
>    <!-- requested trade-amount must be <= 5000 -->
>    <xacml:Apply FunctionId="&xf;integer-less-than-or-equal">
>        <xacml:AttributeValue
>           DataType="&xdt;integer">5000</xacml:AttributeValue>
>        <xacml:Apply FunctionId="xacml:integer-one-and-only">
>            <xacml:ActionAttributeDesignator
>  AttributeId="some:namespace:attrs:trade-amount"
> DataType="xacml:integer"/>
>        </xacml:Apply>
>    </xacml:Apply>
> 
>    <!-- Current time must be between 9am and 5pm -->
>    <xacml:Apply FunctionId="&xf;time-in-range">
>        <xacml:Apply FunctionId="&xf:time-one-and-only">
>            <xacml:EnvironmentAttributeDesignator
> AttributeId="&current-time;" DataType="&xdt;time"/>
>        </xacml:Apply>
>        <xacml:AttributeValue
>               DataType="&xdt;time">9H</xacml:AttributeValue>
>        </xacml:AttributeValue>
>        <xacml:AttributeValue
>               DataType="&xdt;time">17H</xacml:AttributeValue>
>        </xacml:AttributeValue>
>    </xacml:Apply>
> 
>    <!-- Trade location must be "some:namespace:locations:home" or
> ..."office" -->
>    <wsp:ExactlyOne>
>       <xacml:Apply FunctionId="&xf:anyURI-is-in">
>           <xacml:AttributeValue
>
DataType="&xdt;anyURI">some:namespace:locations:home</xacml:AttributeVal
ue
> >
>           <xacml:EnvironmentAttributeDesignator
> AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
>       </xacml:Apply>
>       <xacml:Apply FunctionId="&xf:anyURI-is-in">
>           <xacml:AttributeValue
>
DataType="&xdt;anyURI">some:namespace:locations:office</xacml:AttributeV
al
> ue>
>           <xacml:EnvironmentAttributeDesignator
> AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
>       </xacml:Apply>
>     </wsp:ExactlyOne>
> 
>     <!-- Additional approval flag must be true -->
>     <xacml:Apply FunctionId="&xf;boolean-is-in">
>         <xacml:AttributeValue
> DataType="&xdt;boolean">true</xacml:AttributeValue>
>         <xacml:SubjectAttributeDesignator
> AttributeId="some:namespace:additional:approval"
DataType="&xdt;boolean"/>
>     </xacml:Apply>
> 
>   </wsp:All>
> </wsp:Policy>
> >
> >
> >
> >
> 
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692