[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Help on ResourceConent <-- On XACML Architecture
Hi Oleg, I agree with you. But I still have questions on where is the best place to enforce the condition since we will treat AccountHasBeenReviewedByManager as a condition attribute. We can enforce it at environment match, rule conditon, and rule condition with variable reference. I would like to know your recommendations on how to enforce the condition. Thanks a lot! hao Best Regard --- On Mon, 11/3/08, Oleg Gryb <oleg_gryb@yahoo.com> wrote: > From: Oleg Gryb <oleg_gryb@yahoo.com> > Subject: RE: [xacml-users] Help on ResourceConent <-- On XACML Architecture > To: "Balaji Kannadassan" <balajika@nortel.com>, d95776@yahoo.com > Cc: xacml-users@lists.oasis-open.org > Date: Monday, November 3, 2008, 12:12 PM > Balaji, > > Since you've mentioned "architecture" > you're probably trying to create a XACML-based authz > architecture for your client. If this is the case you'll > probably find my experience interesting. > > I think, the major problem that a security architect needs > to solve in the case of XACML-based solution is attribute > resolution mechanism. We had a discussion on this forum in > the past and had some disagreements, but it looks like all > arguing parties had agreed that XACML-based authz solution > will have a very limited value if it doesn't have > dynamic attribute resolution mechanism in place. I think, > the other thing that we agreed on was that the latter > mechanism is poorly defined in XACML 2.0. > > Practical consequences of that could be that vendor's > implementations of attribute resolution could be (and they > actually are for vendors that I've evaluated) absolutely > incompatible that could lead to vendor "lock in > situation", which any architect should try to avoid. > > The best solution that I found was not to rely on context > handler that can be called from PDP, but resolve all > attributes before request hits PDP. Sequence diagram at > http://gryb.info/images/attrs.jpg provides more details. > > I think this approach could be used in scenario that has > been described by Hao. In his case a client would need to > submit: account ID and subject ID with roles in initial > request. Attribute resolver, presented at the diagram, would > use the account ID attribute to create yet another attribute > - "AccountHasBeenReviewedByManager". The enhanced > request will be sent to PDP that will not care about > attribute resolution any more. I think the behavior of PDP > itself (without context handling) is defined fairly well in > XACML 2.0. That definition plus conformance tests will give > you a very high degree of confidence that PDP engine > vendor's implementations (without context handling) are > compatible. > > Hope it helps, > Oleg. > > > > --- On Mon, 11/3/08, Balaji Kannadassan > <balajika@nortel.com> wrote: > > > From: Balaji Kannadassan <balajika@nortel.com> > > Subject: RE: [xacml-users] Help on ResourceConent! > > To: "Roland Illig" > <roland.illig@gmx.de> > > Cc: xacml-users@lists.oasis-open.org > > Date: Monday, November 3, 2008, 3:53 AM > > Hi Roland! > > > > It wasn't specified anywhere since you said in > > standard xml its not > > implemented assume its 1.0v is standard. Sorry if I > have > > confused you, > > So on whole it's the difference between the usage > of > > AttributeSelector > > and AttributeDesignator. So if I am using Attribute > > Designator hyperlink > > or location would suffice rt ?. Since in the example > of > > DoB they use > > Attribute Selector prefetched details are placed. > > > > Other Experts >> Please do help me in my > > understanding of the request > > flow on the XACML Policy architecture ?. > > Is my understanding rt as stated below on > > PDP/PEP/PAP/PIP ? > > > > Thanks > > Balaji Kamal Kannadassan > > > > -----Original Message----- > > From: Roland Illig [mailto:roland.illig@gmx.de] > > Sent: Monday, November 03, 2008 2:08 PM > > To: Kannadassan, Balaji (AMR:8826) > > Cc: xacml-users@lists.oasis-open.org > > Subject: Re: [xacml-users] Help on ResourceConent! > > > > Balaji Kannadassan schrieb: > > > Hi Roland! > > > > > > As you have said said that only embedded > details > > can be read by > > > 1.0v, had a doubt on how are these values > prefetched, > > so is it that > > > > I meant: the <AttributeSelector> can only search > > inside the <Request> > > XML that is provided to the PDP. I know that the > > <*AttributeDesignator>s > > can get arbitrary information. > > > > > a) PEP send that the detail of the doctor > who > > wanted to read > > > bart's DOB > > > b) Context Handler will prefetch DOB > details > > via PIP and place > > > > > it in the Resource Content and push it across to > PDP. > > > c) Now PDP has all these prefetched > detail > > > d) PDP takes a decision on what to with > > operation the person > > > wants to do via PAP > > > > I don't know that part of XACML very well, so I > cannot > > say definitely > > how it works. > > > > > So in 1.0 PDP didn't had the provision to > delve > > into just the > > > hyperlink for the record provided. In 2.0 there > is an > > enhancement for > > > the same to get the details from the hyperlink. > > > > Oh, I didn't know that. Where is it defined? > > > > Roland > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: > > xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]