[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] policy guarding
Hi Lutz, The ANSI RBAC model, which the XACML RBAC Profile follows, is a "positive permission model". Effect="Deny" Rules can't be used. So you should never get a "Deny" result, just "Permit" or "NotApplicable". A client request or response action will evaluate to "Permit" if it is explicitly permitted, and "NotApplicable" if it is not explicitly permitted. The defaulting you describe needs to be done by the PEP: converting "NotApplicable" to "Deny" for RequestActions, and to "Permit" for ResponseActions. Or, if you are not using hierarchical roles, perhaps you could create a ClientRequests Role and a ClientResponses Role, and put your Effect="Deny" default into the Permission PolicySet of the ClientRequests Role. [the problem with Effect="Deny" Rules with hierarchical roles is that they are inherited upwards by more powerful roles, which is not what you want. Jason Crampton has suggested grouping Deny Rules into separate "Negative Permission PolicySets" that reference the "Negative Permission PolicySet" of the more senior role, but this is not part of the current Profile and is not part of the ANSI RBAC model.] Anne Lutz Suhrbier wrote: > Hello, > > I have an problem concerning the guarding of policy(sets). I set up an > RBAC scneario, where i have a policyset for a client role, which > references two policy sets, one for requests and one for responses on > specific actions. The request policies defaults to deny, the responses > defaults to permit. Now, i encounter the problem, that if the request > policy denies a request, the evaluation result returns "permit", because > the response policy defaults to permit. > Now, i tried to solve the problem guarding the request and response > policy sets within the targets of the policy sets allowing only specific > actions for request or responses respectively. So that only those > request actions can pass to the request policy rules, and response > requests to the response policy rules, which are predefined. But, it > does not work. I ever get the result "not applicable", even if I send a > request including an action attribute stated in the policy set target. > Did I completely misunderstood something ? > > Any hints are welcome > Lutz > > P.S.:Here are the policy files and a request and result: > ____________________ > Top level policy set client: > > <PolicySet PolicySetId="biocase:role:client" > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> > > <Target> > <Subjects> > <Subject> > <SubjectMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#anyURI">biocase:role_values:client</AttributeValue> > > <SubjectAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" > DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> > </SubjectMatch> > </Subject> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > > <PolicySetIdReference>biocase:rolepermissions:client-request</PolicySetIdReference> > > > <PolicySetIdReference>biocase:rolepermissions:client-response</PolicySetIdReference> > > </PolicySet> > ________________________________ > client request policy set: > <PolicySet PolicySetId="biocase:rolepermissions:client-request" > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> > > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">scan-request</AttributeValue> > > <ActionAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Actions> > </Target> > <Policy PolicyId="biocase:permissions:client-request" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> > > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > <Rule RuleId="biocase:permission:permit_capabilities" Effect="Permit"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">any</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">capabilities-request</AttributeValue> > > <ActionAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Action> > </Actions> > </Target> > </Rule> > <Rule RuleId="biocase:permission:permit_scan" Effect="Permit"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">/DataSets/DataSet/Units/Unit/Identifications/Identification/TaxonIdentified/ScientificNameAtomized/Botanical/Genus</AttributeValue> > > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">scan-request</AttributeValue> > > <ActionAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Action> > </Actions> > </Target> > </Rule> > <Rule RuleId="permission:DefaultRule" Effect="Deny"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > </Rule> > </Policy> > </PolicySet> > ___________________________ > client response policy set: > <PolicySet PolicySetId="biocase:rolepermissions:client-response" > PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> > > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">scan-response</AttributeValue> > > <ActionAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Actions> > </Target> > <Policy PolicyId="biocase:permissions:client-response" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> > > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > <Rule RuleId="biocase:permission:permit_scan_response" Effect="Permit"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">any</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">scan-response</AttributeValue> > > <ActionAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Action> > </Actions> > </Target> > </Rule> > <Rule RuleId="biocase:permission:permit_capabilities_response" > Effect="Permit"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">any</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">capabilities-response</AttributeValue> > > <ActionAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Action> > </Actions> > </Target> > </Rule> > <Rule RuleId="permission:DefaultRule" Effect="Permit"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <AnyResource/> > </Resources> > <Actions> > <AnyAction/> > </Actions> > </Target> > </Rule> > </Policy> > </PolicySet> > ________________________________________ > request: > <Request> > <Subject > SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > > <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" > DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>biocase:role_values:client</AttributeValue></Attribute> > > </Subject> > <Resource> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>/DataSets/DataSet/Units/Unit/Identifications/Identification/TaxonIdentified/ScientificNameAtomized/Botanical/Genus</AttributeValue></Attribute> > > </Resource> > <Action> > <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" > DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>scan-request</AttributeValue></Attribute> > > </Action> > </Request> > ______________________ > result: > <Result > ResourceID="/DataSets/DataSet/Units/Unit/Identifications/Identification/TaxonIdentified/ScientificNameAtomized/Botanical/Genus"> > > <Decision>NotApplicable</Decision> > <Status> > <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> > </Status> > </Result> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]