OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dipal-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dipal-discuss] Re: Request for example Assertions

Paul,

Paul OConnor wrote On 02/02/06 23:18,:
> Just to take the use case to its logical conclusion, can we consider the
> case where the user attributes are not local, but instead result from a
> trust relationship? I assume this would entail using an attribute
> selector against an external trust attribute authority...perhaps located
> at the caller itself. In this case, we can calculate policy
> intersections with newly trusted clients...a prime use for fine-grained
> policy in most enterprises...more so than static interactions.

Yes, I think this is a supportable scenario.

> Also, does there need to be a real-world XMLSchema adopted to support
> use case semantics, i.e., a trading language to express the operation
> and results?

The "trading" domain would need to define either a specific Attribute
"vocabulary" or an XMLSchema, specifying the Attributes (or elements and
XML attributes), their possible values, and the meaning of each value.
For policy agreement scenarios, the Attributes and XMLSchema might never
be instantiated; they are used only as a policy vocabulary definition
for this domain.  Applications that use the "trading" domain's policy,
including the tools allowing users to author policies, need to be aware
of the semantics associated with the vocabulary items and their values.
 The policy agreement and (if instantiated) policy verification
components would not need to be aware of the semantics.

Regards,
Anne

> Thanks,
> Paul
> 
> 
>>-----Original Message-----
>>From: Anne Anderson [mailto:Anne.Anderson@sun.com]
>>Sent: Tuesday, January 24, 2006 5:28 PM
>>To: Paul OConnor
>>Cc: dipal-discuss@lists.oasis-open.org
>>Subject: Re: [dipal-discuss] Re: Request for example Assertions
>>
>>Hi Paul,
>>
>>The policy below contains most of what you are asking for; I have not
>>run the syntax through an XML parser, so I may have made some errors,
>>but the general idea should be clear.
>>
>>It assumes that the policy engine's Context Handler knows how to
>>associate attributes from the firm's identity store with various XACML
>>AttributeIds.  Alternatively, we could define an XML schema into which
>>those values are mapped, and then instead of xacml:AttributeDesignator
>>we could use xacml:AttributeSelector with XPath expressions pointing
> 
> to
> 
>>the identity store variables on which constraints are being placed.
>>
>>I did not enter Assertions for type of trade or equity being traded
>>because there are no conditions associated with those.  It would be
> 
> easy
> 
>>to add Assertions similar to those shown however to say things like
>>"type of trade must be X" or "equity being traded must be A, B, or C",
> 
> etc.
> 
>>Regards,
>>Anne
>>
>>Paul OConnor wrote On 01/18/06 23:38,:
>>
>>>I wonder how access control assertions and policy can be expressed
> 
> and
> 
>>>so I would propose the following very common use case in financial
>>>services applications:
>>>
>>>
>>>
>>>An equities trading service enforces access control policy which
>>>leverages subject attributes from the firms identity store:
>>>
>>>
>>>
>>>User role (trader, manager, etc.)
>>>
>>>Trade limit (max trade without additional approval)
>>>
>>>Trading hours (can trade after hours?)
>>>
>>>Trade location (can trade from home or office only)
>>>
>>>
>>>
>>>Along with context variables:
>>>
>>>
>>>
>>>Amount of trade
>>>
>>>Type of trade
>>>
>>>Equity being traded
>>>
>>>Additional approval flag
>>>
>>>
>>>
>>>These attributes must be asserted by the client making the request,
>>>e.g., a trade portal. The policy enforcement infrastructure would
> 
> then
> 
>>>calculate a policy decision before the service was ever invoked.
>>
>><!ENTITY xf "urn:oasis:names:tc:xacml:1.0:function:"/>
>><!ENTITY xdt "http://www.w3.org/2001/XMLSchema#"/>
>><!ENTITY role-attr "urn:oasis:names:tc:xacml:2.0:subject:role"/>
>><!ENTITY current-time
>>"urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
>>
>><wsp:Policy
>>  xmlns="...WS-Policy..."
>>  xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
>>
>>  <wsp:All>
>>    <!-- roles must include "some:namespace:roles:trader" -->
>>    <xacml:Apply FunctionId="&xf;anyURI-is-in">
>>       <xacml:AttributeValue
>>
> 
> DataType="&xf;anyURI">some:namespace:roles:trader</xacml:AttributeValue>
> 
>>       <xacml:SubjectAttributeDesignator
>>     AttributeId="&role-attr;" DataType="&xdt;anyURI"/>
>>    </xacml:Apply>
>>
>>   <!-- requested trade-amount must be <= 5000 -->
>>   <xacml:Apply FunctionId="&xf;integer-less-than-or-equal">
>>       <xacml:AttributeValue
>>          DataType="&xdt;integer">5000</xacml:AttributeValue>
>>       <xacml:Apply FunctionId="xacml:integer-one-and-only">
>>           <xacml:ActionAttributeDesignator
>> AttributeId="some:namespace:attrs:trade-amount"
>>DataType="xacml:integer"/>
>>       </xacml:Apply>
>>   </xacml:Apply>
>>
>>   <!-- Current time must be between 9am and 5pm -->
>>   <xacml:Apply FunctionId="&xf;time-in-range">
>>       <xacml:Apply FunctionId="&xf:time-one-and-only">
>>           <xacml:EnvironmentAttributeDesignator
>>AttributeId="&current-time;" DataType="&xdt;time"/>
>>       </xacml:Apply>
>>       <xacml:AttributeValue
>>              DataType="&xdt;time">9H</xacml:AttributeValue>
>>       </xacml:AttributeValue>
>>       <xacml:AttributeValue
>>              DataType="&xdt;time">17H</xacml:AttributeValue>
>>       </xacml:AttributeValue>
>>   </xacml:Apply>
>>
>>   <!-- Trade location must be "some:namespace:locations:home" or
>>..."office" -->
>>   <wsp:ExactlyOne>
>>      <xacml:Apply FunctionId="&xf:anyURI-is-in">
>>          <xacml:AttributeValue
>>
> 
> DataType="&xdt;anyURI">some:namespace:locations:home</xacml:AttributeVal
> ue
> 
>>          <xacml:EnvironmentAttributeDesignator
>>AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
>>      </xacml:Apply>
>>      <xacml:Apply FunctionId="&xf:anyURI-is-in">
>>          <xacml:AttributeValue
>>
> 
> DataType="&xdt;anyURI">some:namespace:locations:office</xacml:AttributeV
> al
> 
>>ue>
>>          <xacml:EnvironmentAttributeDesignator
>>AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
>>      </xacml:Apply>
>>    </wsp:ExactlyOne>
>>
>>    <!-- Additional approval flag must be true -->
>>    <xacml:Apply FunctionId="&xf;boolean-is-in">
>>        <xacml:AttributeValue
>>DataType="&xdt;boolean">true</xacml:AttributeValue>
>>        <xacml:SubjectAttributeDesignator
>>AttributeId="some:namespace:additional:approval"
> 
> DataType="&xdt;boolean"/>
> 
>>    </xacml:Apply>
>>
>>  </wsp:All>
>></wsp:Policy>
>>
>>>
>>>
>>>
>>--
>>Anne H. Anderson             Email: Anne.Anderson@Sun.COM
>>Sun Microsystems Laboratories
>>1 Network Drive,UBUR02-311     Tel: 781/442-0928
>>Burlington, MA 01803-0902 USA  Fax: 781/442-1692
> 
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]