OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dipal-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [dipal-discuss] Re: Request for example Assertions


XACML assumes that all necessary policy inputs will be available via a
pro-forma XML construct called the input context. The input context is
not required to be implemented as such, but the policy evaluation must
have the same result as if it were.

The actual attribute values may have been gathered in advance from local
or non-local sources or even obtained on the fly during the evaluation
process. The values are assumed to be trusted. However, in certain
architectures, it would be possible to use other XACML policies to
specify what information to trust.

Hal

> -----Original Message-----
> From: Paul OConnor [mailto:poconnor@e-brilliance.com]
> Sent: Thursday, February 02, 2006 11:19 PM
> To: Anne.Anderson@sun.com
> Cc: dipal-discuss@lists.oasis-open.org
> Subject: RE: [dipal-discuss] Re: Request for example Assertions
> 
> Thanks, Anne. This is quite clear.
> 
> Just to take the use case to its logical conclusion, can we consider
the
> case where the user attributes are not local, but instead result from
a
> trust relationship? I assume this would entail using an attribute
> selector against an external trust attribute authority...perhaps
located
> at the caller itself. In this case, we can calculate policy
> intersections with newly trusted clients...a prime use for
fine-grained
> policy in most enterprises...more so than static interactions.
> 
> Also, does there need to be a real-world XMLSchema adopted to support
> use case semantics, i.e., a trading language to express the operation
> and results?
> 
> Thanks,
> Paul
> 
> > -----Original Message-----
> > From: Anne Anderson [mailto:Anne.Anderson@sun.com]
> > Sent: Tuesday, January 24, 2006 5:28 PM
> > To: Paul OConnor
> > Cc: dipal-discuss@lists.oasis-open.org
> > Subject: Re: [dipal-discuss] Re: Request for example Assertions
> >
> > Hi Paul,
> >
> > The policy below contains most of what you are asking for; I have
not
> > run the syntax through an XML parser, so I may have made some
errors,
> > but the general idea should be clear.
> >
> > It assumes that the policy engine's Context Handler knows how to
> > associate attributes from the firm's identity store with various
XACML
> > AttributeIds.  Alternatively, we could define an XML schema into
which
> > those values are mapped, and then instead of
xacml:AttributeDesignator
> > we could use xacml:AttributeSelector with XPath expressions pointing
> to
> > the identity store variables on which constraints are being placed.
> >
> > I did not enter Assertions for type of trade or equity being traded
> > because there are no conditions associated with those.  It would be
> easy
> > to add Assertions similar to those shown however to say things like
> > "type of trade must be X" or "equity being traded must be A, B, or
C",
> etc.
> >
> > Regards,
> > Anne
> >
> > Paul OConnor wrote On 01/18/06 23:38,:
> > > I wonder how access control assertions and policy can be expressed
> and
> > > so I would propose the following very common use case in financial
> > > services applications:
> > >
> > >
> > >
> > > An equities trading service enforces access control policy which
> > > leverages subject attributes from the firms identity store:
> > >
> > >
> > >
> > > User role (trader, manager, etc.)
> > >
> > > Trade limit (max trade without additional approval)
> > >
> > > Trading hours (can trade after hours?)
> > >
> > > Trade location (can trade from home or office only)
> > >
> > >
> > >
> > > Along with context variables:
> > >
> > >
> > >
> > > Amount of trade
> > >
> > > Type of trade
> > >
> > > Equity being traded
> > >
> > > Additional approval flag
> > >
> > >
> > >
> > > These attributes must be asserted by the client making the
request,
> > > e.g., a trade portal. The policy enforcement infrastructure would
> then
> > > calculate a policy decision before the service was ever invoked.
> >
> > <!ENTITY xf "urn:oasis:names:tc:xacml:1.0:function:"/>
> > <!ENTITY xdt "http://www.w3.org/2001/XMLSchema#"/>
> > <!ENTITY role-attr "urn:oasis:names:tc:xacml:2.0:subject:role"/>
> > <!ENTITY current-time
> > "urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
> >
> > <wsp:Policy
> >   xmlns="...WS-Policy..."
> >   xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
> >
> >   <wsp:All>
> >     <!-- roles must include "some:namespace:roles:trader" -->
> >     <xacml:Apply FunctionId="&xf;anyURI-is-in">
> >        <xacml:AttributeValue
> >
>
DataType="&xf;anyURI">some:namespace:roles:trader</xacml:AttributeValue>
> >        <xacml:SubjectAttributeDesignator
> >      AttributeId="&role-attr;" DataType="&xdt;anyURI"/>
> >     </xacml:Apply>
> >
> >    <!-- requested trade-amount must be <= 5000 -->
> >    <xacml:Apply FunctionId="&xf;integer-less-than-or-equal">
> >        <xacml:AttributeValue
> >           DataType="&xdt;integer">5000</xacml:AttributeValue>
> >        <xacml:Apply FunctionId="xacml:integer-one-and-only">
> >            <xacml:ActionAttributeDesignator
> >  AttributeId="some:namespace:attrs:trade-amount"
> > DataType="xacml:integer"/>
> >        </xacml:Apply>
> >    </xacml:Apply>
> >
> >    <!-- Current time must be between 9am and 5pm -->
> >    <xacml:Apply FunctionId="&xf;time-in-range">
> >        <xacml:Apply FunctionId="&xf:time-one-and-only">
> >            <xacml:EnvironmentAttributeDesignator
> > AttributeId="&current-time;" DataType="&xdt;time"/>
> >        </xacml:Apply>
> >        <xacml:AttributeValue
> >               DataType="&xdt;time">9H</xacml:AttributeValue>
> >        </xacml:AttributeValue>
> >        <xacml:AttributeValue
> >               DataType="&xdt;time">17H</xacml:AttributeValue>
> >        </xacml:AttributeValue>
> >    </xacml:Apply>
> >
> >    <!-- Trade location must be "some:namespace:locations:home" or
> > ..."office" -->
> >    <wsp:ExactlyOne>
> >       <xacml:Apply FunctionId="&xf:anyURI-is-in">
> >           <xacml:AttributeValue
> >
>
DataType="&xdt;anyURI">some:namespace:locations:home</xacml:AttributeVal
> ue
> > >
> >           <xacml:EnvironmentAttributeDesignator
> > AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
> >       </xacml:Apply>
> >       <xacml:Apply FunctionId="&xf:anyURI-is-in">
> >           <xacml:AttributeValue
> >
>
DataType="&xdt;anyURI">some:namespace:locations:office</xacml:AttributeV
> al
> > ue>
> >           <xacml:EnvironmentAttributeDesignator
> > AttributeId="some:namespace:location" DataType="&xdt;anyURI"/>
> >       </xacml:Apply>
> >     </wsp:ExactlyOne>
> >
> >     <!-- Additional approval flag must be true -->
> >     <xacml:Apply FunctionId="&xf;boolean-is-in">
> >         <xacml:AttributeValue
> > DataType="&xdt;boolean">true</xacml:AttributeValue>
> >         <xacml:SubjectAttributeDesignator
> > AttributeId="some:namespace:additional:approval"
> DataType="&xdt;boolean"/>
> >     </xacml:Apply>
> >
> >   </wsp:All>
> > </wsp:Policy>
> > >
> > >
> > >
> > >
> >
> > --
> > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> > Sun Microsystems Laboratories
> > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dipal-discuss-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
dipal-discuss-help@lists.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]