Re: [xacml-users] inconsistency in XACMl policies - avoiding ruleconflicts

[Seth Proctor <Seth.Proctor@Sun.COM>]

Hi Jan. I'm still having trouble understanding exactly what you're
describing, but I'll take a shot and let me know how close I am...

On Tue, 2004-10-12 at 17:20, Jan bei GMX wrote:
> [...]
> The Problem now is that if an administrator is just allowed to declare rules
> with a fixed effect than he is restricted in what he can permit (or deny ).
> My idea is now to allow the declaration of arbitrary rules. The PAP than has
> to translate these rules into rules of the desired effect and combine them
> with the existing rules. The combination is necessary because only by this
> one can achieve that the semantic of the new rule and the old semantics are
> combined. The combination can be done by modify the condition of the new
> rule with the wrong effekt by not(Condition). Then  by adding this condition
> to the conditions of the old ones by "and" or "or" one have reached the
> transformation of a rule with oposite effect(e.g positive rule) into the
> desired policy (e.g  open policy)

Ok. I think what you're saying is as follows. For a given query, there
is only one Policy that applies. In that Policy, there is one Rule (with
an Effect of Permit) that has all the Condition logic, and then a second
Rule (with an Effect of Deny) that is the default, fall-through Rule.

All logic is added in the Permit Rule, using and/or to combine in new
predicates as needed. In this way, the Policy always reads as "here are
the specific cases that result in Permit, and all cases not covered here
result in Deny." You never take away rights with deny rules, you only
grant more cases. Is that about right?

This seems like it should get you what you want, ie, a clear way to show
that there are no contradictions. It also seems like it could get hard
to manage, and will probably require tools that force you to use this
model. I will be interested to hear your experiences with this model.

> Do you know if such a transformation is possible for every use case?.

I don't think I can prove it just now, but it sounds plausable [1]. In
general, you should be able to express any XACML logic as ands of ors,
and it sounds like your approach gives you the expressiveness you need.
Obviously where it gets hard is when you have something in your Permit
rule, and then you realize you want something that Permits something
slightly less (ie, fewer users, actions, or stricter conditions). At
that point, one predicate might have to become many because you can't as
easily say something like "all these except for this one."

Dunno. Did I understand your model correctly? Did this help?


seth


[1] Back in my first year CS classes, there would be late night study
sessions where some proof just wasn't getting done. The later it was,
the more creative our "proof techniques" became. Some we invented, some
we found on the web. When I hear questions like yours, I feel like
pulling out some of these techniques, like Proof by Eminent Authority:
"well, I'm not sure, but I saw Karp in elevator and he thinks it's NP
complete." :)