OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-comment] Question on 'SAML 2.0 profile of XACML v2.0'




> -----Original Message-----
> From: Rüdiger Gartmann [mailto:R.Gartmann@conterra.de]
> Sent: Tuesday, February 26, 2008 9:50 AM
> To: xacml-comment@lists.oasis-open.org
> Subject: [xacml-comment] Question on 'SAML 2.0 profile of XACML v2.0'
> 
> Dear XACML experts,
> 
> we are about to implement the 'SAML 2.0 profile of XACML v2.0' in order to
> express licenses which contain access rights to certain services
> (currently using XACML 1.1). We store those licenses in a license manager
> which implements an XACMLPolicyQuery interface.
> 
> For querying this service for administration purposes we need a support
> for wildcards. For searching for certain subjects, for instance, the
> schema xacml-1.1-profile-saml2.0-v2-schema-protocol-wd-5.xsd allows the
> following query:
> 
> <xacml-context:Subject>
>   <xacml-context:Attribute
> DataType="http://www.w3.org/2001/XMLSchema#string";
> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
>     <xacml-context:AttributeValue>Alice</xacml-context:AttributeValue>
>   </xacml-context:Attribute>
> </xacml-context:Subject>
> 
> (This is similar for ressources and actions.)
> 
> For us this leads to two problems:
> 
> 1. The query schema requires all three, a subject (at least one), a
> ressource and an action. If we want to query all licenses containing
> policies for a certain action on a certain ressource (no matter of the
> subject) we would need something like an 'AnySubject', which is not
> allowed by the schema.

Actually it requires four elements Subject, Resource, Action and Environment. However any of these may be empty and it will be treated as "Any".

> 
> 2. In contrast to the policy schema in the query schema there is no a
> MatchID. So for querying we can only use exact matches and no 'like'
> operators or something like that. (In fact, this point is less important
> than the first one.)

I don't understand what you are trying to accomplish. In XACML we have policies. The policies operate on input data, not the other way around. The input data is provided in the Request Context.

If you want to ask if Bill and Mary can do something, you can:

1. Ask about first one then the other, or
2. Arrange that Bill and Mary have some common attribute and ask about it.

The same goes for Resource, Action and Environment, except in the case of resource we allow the short cut of specifying several resources in one Request Context. However in this case, the PDP evaluates each as a separate request.

The theory behind all of this is that XACML is Request-centric.

1. A request is made, the question XACML is trying to answer is: should it be allowed?
2. Various information about the request is available about the request. The only piece of information that is surely available is the Resource. There may be information about 1 or more subjects. There may be information about the Action if more than one action is possible on the resource. There may be information about the Environment. (For example, the current date time may be filled in or some other date/time if this is a what-if type query.)
3. The PDP uses the available information to search for policies which are applicable. The use of Target can optimize this search by quickly identifying policies which may apply, but only by evaluating both the target and Conditions can it be determined if the polices are applicable.
4. Once the applicable policies are determined, their Effects and Obligations can be combined to determine the result, which is reflected in the Response Context.

The design of XACML makes certain kinds of operations infeasible. For example, people often ask us about reverse queries, such as "tell me everything in the world Bill can do".  However, these operations are often infeasible anyway in a large scale open environment. Often the information is not accessible and in any event is likely to change during the time it takes to do a complete evaluation. A possible alternative which solves some problems of this type is to do partial policy evaluation. Some people are looking into how to do this. For a more general discussion, see Issue 13 in the wiki here: 

http://wiki.oasis-open.org/xacml/ClosedIssues

In closing, note that we have two mailing lists which are open to members and non-members of OASIS. xacml-dev is for people working on implementations. xacml-users is for people trying to write policies.

Hal

> 
> Does anybody know a solution for this? Or at least any hint how to solve
> this issue? Or is my approach completely wrong?
> 
> Best regards,
> Rüdiger
> --
> Dipl.-Wirt.Inform. Rüdiger Gartmann
> 
> con terra
> Gesellschaft für Angewandte Informationstechnologie mbH
> Martin-Luther-King-Weg 24
> D-48155 Münster, Germany
> 
> Geschäftsführer: Dr. Albert Remke
> Amtsgericht Münster HRB 4149
> 
> Tel: +49 251 / 7474 - 301
> Fax: +49 251 / 7474 - 100
> 
> E-Mail: R.Gartmann@conterra.de
> http://www.conterra.de
> 
> 
> --
> This publicly archived list offers a means to provide input to the
> OASIS eXtensible Access Control Markup Language (XACML) TC.
> 
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
> 
> Subscribe: xacml-comment-subscribe@lists.oasis-open.org
> Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
> List help: xacml-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/xacml-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-
> open.org/committees/tc_home.php?wg_abbrev=xacml



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]