[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] XACML Target matching question
The referenced statement was specified by David: section 7.15,
"Authorization Decsion."
After reading this section 7.15 (I did not find it when skimming over
the spec - thanks@David), I think there is no implicit top level
PolicySet, but rather a top level Policy Combining Algorithm, which is a
property of the PDP (which should/could be configurable). Anyhow, how
it is determined ("hard-coded" or configurable) is implementation
dependent.
Regards,
Helmut
On 07/18/2011 09:44 PM, rich levinson wrote:
> It would be useful to cite the specific place in the spec where the
> ref'd statement appears.
> It is not findable looking for "default", "top", "root", etc. It would
> also be useful if this
> "implicit" top level PolicySet had an official term by which it is
> referred to.
>
> Thanks,
> Rich
>
>
>> >> Reading further down in the XACML spec, in the Functional Requirements
>> >> chapter which dictates how evaluation should proceed, *section 7.15
>> >> "Authorization Decision"* explains exactly how a decision should be
>> >> reached whether there are multiple policies that can be matched or not:
>> >>
>> >> *In relation to a particular decision request, the PDP is defined by a
>> >> policy-combining algorithm and a set of policies and/or policy
>> sets. The PDP
>> >> SHALL return a response context as if it had evaluated a single
>> policy set
>> >> consisting of this policy-combining algorithm and the set of
>> policies and/or
>> >> policy sets.
>> >> The PDP MUST evaluate the policy set as specified in Sections 5 and
>> 7. The
>> >> PDP MUST return a response context, with one <Decision> element of
>> value
>> >> "Permit", "Deny", "Indeterminate" or "NotApplicable".
>> >> If the PDP cannot make a decision, then an "Indeterminate" <Decision>
>> >> element SHALL be returned.
>> >>
>> >> *
>> >> The paragraph above highlights one very important point: *the PDP must
>> >> always have a policy-combining algorithm at the very top. Any XACML 3.0
>> >> implementation should respect that. It then considers all the top
>> policies
>> >> (policy sets) as if they were within a policy set with the combining
>> >> algorithm defined at the very top.
>> >>
>> >> *Finally, after reading through the spec, I could not see any
>> mention of a
>> >> default combining algorithm as Doron suggested it.*
>> >>
>> >> *It is a requirement that the PDP consider all root policies as if they
>> >> were children of a single policy set as described in section 7.15
>> but the
>> >> choice of combining algorithm is down to the implementation.
>> >>
>> >> Helmut is quite right in highlighting the following: *"If the two
>> policies
>> >> are top level policies and there is no combining algorithm, you
>> should get
>> >> an error from your PDP"*. Section 7.15 stipulates that there must be a
>> >> combining algorithm.
>> >>
>> >> Note that choosing a PDP that forces you to use only-one-applicable has
>> >> considerable limitations. Section C.9 describes its behavior: if two
>> >> policies combined with only-one-applicable match an incoming
>> request, the
>> >> PDP is forced to return Indeterminate. However, this would make
>> enterprise
>> >> scenarios fail where for instance 2 policies have the same target
>> simply
>> >> because one addresses enterprise-wide requirements such as
>> "out-of-office
>> >> hours" whereas the other policy could address direct business
>> requirements
>> >> e.g. "access to sensitive information".
>> >>
>> >> Being able to segregate policies on different planes (enterprise-wide
>> >> policies about hours of work, geo-location, SoD, PCI-DSS on one
>> hand and
>> >> business-specific policies on the other) is one of the strengths of
>> 100%
>> >> XACML solutions and fine-grained access control. The ability to
>> choose the
>> >> combining algorithm gives you that flexibility and strength.
>> >>
>> >> I hope this helps clarify the situation.
>> >>
>> >> Cheers,
>> >> David.
>> >> * *
>> >> --
>> >> David Brossard, M.Eng, SCEA, CSTP
>> >> Solutions Architect
>> >> +46(0)760 25 85 75
>> >> Axiomatics AB
>> >> Skeppsbron 40
>> >> S-111 30 Stockholm, Sweden
>> >> http://www.linkedin.com/companies/536082
>> >> http://www.axiomatics.com
>> >> http://twitter.com/axiomatics
>> >> 2011/7/17 Doron Grinstein
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]