[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] XACML Context
|
Some thoughts on the XACML
context.
1. Would it be possible to restrict both the
context and the policy to known attributes, these attributes being
defined separately, so that the policy does not contain details
of how to retrieve attributes. The advantage of this approach is that it
defines the attributes available to the policy writers and creates an
abstraction layer between the policy and the source of the attributes. If
the location of the attribute changes, the policy does not, additionally the
policy looks a lot cleaner and does not require AttributeSelectors. The
main driver for this is to simplify the policies and make them easier to
write. Most organizations will define the attributes at the
beginning and they will largely remain fixed, so separating attribute
details from policy has major benefits.
2. When mapping from SAML to XACML context we
feel that the SAML attribute assertions should be converted to XACML attribute
definitions. One of the purposes of the context is to shield XACML from
external formats, but that is not really achieved here and the attributes have
to be accessed through AttributeSelectors.
Our thoughts on this were that it would be
simpler if the context had an evidence element to contain additional
attributes.
e.g.
<Request>
<Subject>
</Subject>
<Resource>
</Resource>
<Action>
</Action>
<Evidence>
</Evidence>
<Environment>
</Environment> </Request>Non subject SAML attributes are placed in the Evidence section and can then
be accessed via AttributeDesignators. It may be appropriate to add
attributes retrieved by the PIP to this section as well, so that the policy
always addresses the context to obtain attribute values.
John
Howard |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC