Re: [xacml-dev] XACML Target matching question

I agree with that statement.

Doron GrinsteinЪ Б CEOЪ Б BiTKOO ЪБ 818-985-4700 Ext. 31 Бwww.bitkoo.com

From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Monday, July 18, 2011 11:32 AM
To: Security Developer
Cc: xacml-dev@lists.oasis-open.org
Subject: Re: [xacml-dev] XACML Target matching question

The PDP spec says that an engine implementation must specify the combining algorithm. As Helmut said, it is therefore implementation-specific.

To eliminate any doubt and to increase interoperability, it may be best to use a single top level policy set which explicitly defines the combining algorithm rather than rely on an engine's choice.

I hope this clarifies things.

David.

On Jul 18, 2011 7:53 PM, "Security Developer" <security.developer22@gmail.com> wrote:
> Let me explain what i understand from all the discussion.
>
> Doron suggested that if there are multiple root policies with the same
> target then the default policy combining algorithm would be only one
> applicable.
>
> David suggested that there is no default policy combining algorithm and it
> could be any policy combining algorithm defined in XACML standard.
>
> My question is, where is this policy combining algorithm is defined. AFAIK i
> cannot define this policy combining algorithm in XACML because
> there are two separate root policies having same target and under one PDP.
>
> Thanks for your time.
>
> Best Regards.
>
>
>
> On Mon, Jul 18, 2011 at 4:33 PM, David Brossard <
> david.brossard@axiomatics.com> wrote:
>
>>
>> Hi all,
>>
>> *Short answer*:
>>
>> - Is it possible that two policies have the same target in one PDP?
>> - Yes of course, it's quite possible and it makes business sense in
>> many scenarios (see below for examples).
>> - If yes then which policy is selected by the PDP?
>> - It depends on the policy combining algorithm (see the spec<http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>for a definition - 2.3 Combining algorithms). Both could potentially be
>> evaluated. See the more detailed explanation below.
>>
>>
>> *In detail*:
>>
>> In a more formal way, if one takes the time to read through the spec
>> (accessible here:
>> http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf),
>> you will find interesting items.
>>
>> First of all there are 3 top-level policy elements: <Rule>, <Policy> and
>> <PolicySet>. (quoting the spec directly). The basis for an authorization
>> decision is a policy which contains the combining algorithm for the rules.
>> The policy set is simply a means of combining several policies into a single
>> combined policy.
>>
>> Reading further down in the XACML spec, in the Functional Requirements
>> chapter which dictates how evaluation should proceed, *section 7.15
>> "Authorization Decision"* explains exactly how a decision should be
>> reached whether there are multiple policies that can be matched or not:
>>
>> *In relation to a particular decision request, the PDP is defined by a
>> policy-combining algorithm and a set of policies and/or policy sets. The PDP
>> SHALL return a response context as if it had evaluated a single policy set
>> consisting of this policy-combining algorithm and the set of policies and/or
>> policy sets.
>> The PDP MUST evaluate the policy set as specified in Sections 5 and 7. The
>> PDP MUST return a response context, with one <Decision> element of value
>> "Permit", "Deny", "Indeterminate" or "NotApplicable".
>> If the PDP cannot make a decision, then an "Indeterminate" <Decision>
>> element SHALL be returned.
>>
>> *
>> The paragraph above highlights one very important point: *the PDP must
>> always have a policy-combining algorithm at the very top. Any XACML 3.0
>> implementation should respect that. It then considers all the top policies
>> (policy sets) as if they were within a policy set with the combining
>> algorithm defined at the very top.
>>
>> *Finally, after reading through the spec, I could not see any mention of a
>> default combining algorithm as Doron suggested it.*
>>
>> *It is a requirement that the PDP consider all root policies as if they
>> were children of a single policy set as described in section 7.15 but the
>> choice of combining algorithm is down to the implementation.
>>
>> Helmut is quite right in highlighting the following: *"If the two policies
>> are top level policies and there is no combining algorithm, you should get
>> an error from your PDP"*. Section 7.15 stipulates that there must be a
>> combining algorithm.
>>
>> Note that choosing a PDP that forces you to use only-one-applicable has
>> considerable limitations. Section C.9 describes its behavior: if two
>> policies combined with only-one-applicable match an incoming request, the
>> PDP is forced to return Indeterminate. However, this would make enterprise
>> scenarios fail where for instance 2 policies have the same target simply
>> because one addresses enterprise-wide requirements such as "out-of-office
>> hours" whereas the other policy could address direct business requirements
>> e.g. "access to sensitive information".
>>
>> Being able to segregate policies on different planes (enterprise-wide
>> policies about hours of work, geo-location, SoD, PCI-DSS on one hand and
>> business-specific policies on the other) is one of the strengths of 100%
>> XACML solutions and fine-grained access control. The ability to choose the
>> combining algorithm gives you that flexibility and strength.
>>
>> I hope this helps clarify the situation.
>>
>> Cheers,
>> David.
>> * *
>> --
>> David Brossard, M.Eng, SCEA, CSTP
>> Solutions Architect
>> +46(0)760 25 85 75
>> Axiomatics AB
>> Skeppsbron 40
>> S-111 30 Stockholm, Sweden
>> http://www.linkedin.com/companies/536082
>> http://www.axiomatics.com
>> http://twitter.com/axiomatics
>> 2011/7/17 Doron Grinstein
>>
>>> Multiple policies can have the same target in the same PDP. How their
>>> decision results are combined is determined by their parent policy-set’s
>>> policy combining algorithm. ****
>>>
>>> ** **
>>>
>>> If there is no parent policy set (because you have configured the PDP to
>>> take multiple root policies), then the PDP will behave as though the
>>> multiple root policies were the children of a policy set with a policy
>>> combining algorithm of “only one applicable”. (I don’t recall offhand if
>>> this is a requirement of the XACML spec or just a recommendation, you’d need
>>> to check the spec doc)****
>>>
>>> ** **
>>>
>>> In the situation you described, if the PDP were forced to work with
>>> multiple root policies, every request would return “Indeterminate” because
>>> more than one policy is applicable and that is not acceptable under the
>>> implicit “only one applicable” policy combining algorithm.****
>>>
>>> ** **
>>>
>>> A PDP instance must have a single root policy(set) to evaluate requests
>>> against. If you give the PDP multiple root policies, it will behave as
>>> though it created an in-memory policy set to contain the given policies. I
>>> hope this brief explanation helps answer your question.****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> *From:* Security Developer [mailto:security.developer22@gmail.com]
>>> *Sent:* Saturday, July 16, 2011 2:43 AM
>>> *To:* xacml-dev@lists.oasis-open.org
>>> *Subject:* [xacml-dev] XACML Target matching question****
>>>
>>> ** **
>>>
>>> Hi All,
>>>
>>> I have a question regarding XACML target matching.
>>>
>>> 1 - Is it possible that two policies have the same target in one PDP?
>>> suppose
>>>
>>> *Policy-1*
>>>
>>> <Policy>
>>> <Target/>
>>>
>>> </Policy>
>>>
>>> *Policy-2*
>>>
>>> <Policy>
>>> <Target/>
>>>
>>> </Policy>
>>>
>>> Is the above case possible? if yes then which policy is selected by the
>>> PDP?
>>>
>>> Thanks for your time.
>>>
>>> Best Regards.****
>>>
>>
>>
>>
>>
>>

xacml-dev message