RE: [xacml-users] Database schema for storing XACML policies

["Hal Lockhart" <hlockhar@bea.com>]

My point is that there is no reason to disassemble the policy and stuff
it into the database and then reassemble it into XML, when only a couple
of elements will ever be used for retrieval. Most database operations
have no relevancy to policies. Why would you ever want to do an external
join for example?

There are a number of disadvantages to such a disassembly, reassembly.

1. Performance cost
2. Likelihood that the result will not be the same as original, or at
least will require extensive testing and debugging before it is.
3. Likelihood of breaking any signatures over the policy.

Hal

> -----Original Message-----
> From: Paul Alagna [mailto:pjalagna@yahoo.com]
> Sent: Thursday, June 22, 2006 11:05 PM
> To: Hal Lockhart; Rajesh Koilpillai; dhirendra sharma; Argyn
> Cc: xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] Database schema for storing XACML policies
> 
> Isn't it the job of the XSD to define the structure?
> there is the table and collum names, default values,
> validation values etc.
> 
> Paul Alagna
> CTO Checkmi (PJalagna@CheckMI.com)
> 
> --- Hal Lockhart <hlockhar@bea.com> wrote:
> 
> > I think the following is a sensible approach.
> >
> > 1. Select a portion of the Target to use as your
> > primary key. If you are
> > not sure what to use, I suggest using Resource.
> > Possibly you might
> > choose to use just a single attribute (e.g. Resource
> > Name or
> > Classification).
> >
> > 2. Extract the chosen value and put it in a primary
> > key field in a
> > convenient format which permits using Select
> > statements to retrieve
> > potentially applicable policies.
> >
> > 3. Put the entire policy as a blob in another field
> > in the same record.
> >
> > 4. Use an API or stored procedure to implement
> > adding and modifying
> > records, so the Primary Key value remains consistent
> > with the rest of
> > the record.
> >
> > 5. When an access request is received use the
> > primary key to retrieve
> > candidate policies. Evaluate the rest of the Target
> > and the Conditions
> > of each to determine if it is applicable.
> >
> > 6. It may be desirable to generate other keys for
> > management purposes,
> > for example: Policy ID.
> >
> > This is the way we always intended Target to be
> > used. Obviously policy
> > evaluation will be more efficient if Policy creation
> > is "retrieval
> > strategy aware." For example, choosing what is put
> > in the Target vs.
> > Conditions. This can be done by tooling or simply
> > user conventions.
> >
> > Hal
> >
> > > -----Original Message-----
> > > From: Rajesh Koilpillai
> > [mailto:rajesh@infravio.com]
> > > Sent: Friday, June 16, 2006 1:32 AM
> > > To: 'dhirendra sharma'; 'Argyn'
> > > Cc: xacml-users@lists.oasis-open.org
> > > Subject: RE: [xacml-users] Database schema for
> > storing XACML policies
> > >
> > > Hi,
> > >
> > > You should definitely go for a more granular
> > schema as you have
> > suggested
> > > in
> > > your email in order to run fine grained SQL
> > queries to figure out
> > policies
> > > applicable for a Subject, Resource or Action.
> > Storing it as a CLOB is
> > > going
> > > to limit your options, when you have more policies
> > stored in your
> > > database.
> > >
> > > Thanks,
> > > - Rajesh Koilpillai
> > >
> > > -----Original Message-----
> > > From: dhirendra sharma
> > [mailto:dhirendra_sh@yahoo.com]
> > > Sent: Thursday, June 15, 2006 11:29 PM
> > > To: Argyn
> > > Cc: xacml-users@lists.oasis-open.org
> > > Subject: Re: [xacml-users] Database schema for
> > storing XACML policies
> > >
> > > Hi ,
> > >
> > > There can be potentially thousands of policies.
> > > How did you find applicable polcies for given
> > request
> > > ?
> > >
> > > Thanks,
> > > Dhirendra Sharma
> > >
> > > --- Argyn <jawabean@gmail.com> wrote:
> > >
> > > > I thought about storing XACML schema in Db  and
> > gave
> > > > up the idea. It
> > > > didn't make a sense in my project. So, I had two
> > > > things:
> > > >
> > > > 1. stored entire policy in TEXT type of field,
> > such
> > > > as CLOB
> > > > 2. some policies were generated from DB tables.
> > i
> > > > had a table with
> > > > start and end time columns, then the policy was
> > > > generated using these
> > > > two columns
> > > >
> > > > thanks,
> > > > argyn
> > > >
> > > > On 6/15/06, dhirendra sharma
> > > > <dhirendra_sh@yahoo.com> wrote:
> > > > >   Hi All,
> > > > >
> > > > >
> > > > >     Can someone share their database schema
> > for
> > > > > storing XACML policies ?
> > > > >
> > > > >     We are planning to store the XACML
> > policies in
> > > > > Oracle 9i database.
> > > > >     Write a DatabasePolicyModule and based on
> > > > Subject,
> > > > > Resource,Action and optionally Environment
> > from
> > > > the
> > > > > incoming Request
> > > > >     build a database SQL query and find out
> > all
> > > > the
> > > > > applicable policies.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >     I have defined a simple table called -
> > POLICY
> > > > with
> > > > > columns as follows :
> > > > >
> > ---------------------------------------
> > > > >             TARGET_ID    VARCHAR2(20),
> > > > >             SUBJECT      VARCHAR2(1000),
> > > > >             RESOURCE_ID  VARCHAR2(1000),
> > > > >             ACTION       VARCHAR2(1000),
> > > > >             POLICY       VARCHAR2(4000)
> > > > >
> > ---------------------------------------
> > > > >
> > > > >     Using values of subject, resource and
> > action
> > > > from
> > > > > the request input, I build a SQL query and
> > find
> > > > out
> > > > > matching policies.
> > > > >
> > > > >     I have following 2 questions.
> > > > >
> > > > >     1). Is above table and column idea good
> > design
> > > > for
> > > > > policy storage perspective or i am missing
> > > > something ?
> > > > >
> > > > >     2). Where should add this call to the
> > database
> > > > for
> > > > > find applicable policies in the code ?
> > > > >
> > > > >     Thanks,
> > > > >     Dhirendra Sharma
> > > > >
> > > > >
> > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Tired of spam?  Yahoo! Mail has the best spam
> > > > protection around
> > > > > http://mail.yahoo.com
> > > > >
> > > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > > This publicly archived list supports open
> > > > discussion on using the
> > > > > XACML OASIS Standard. To minimize spam in the
> > > > archives, you
> > > > > must subscribe before posting.
> > > > >
> > > > > [Un]Subscribe/change address:
> > > > http://www.oasis-open.org/mlmanage/
> > > > > Alternately, using email:
> > > > list-[un]subscribe@lists.oasis-open.org
> > > > > List archives:
> > > >
> > http://lists.oasis-open.org/archives/xacml-users/
> >
> === message truncated ===
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com