RE: [xacml-users] Help on ResourceConent <-- On XACML Architecture

[hao chen <d95776@yahoo.com>]

Hi Oleg,

I agree with you. But I still have questions on where is the best place to enforce the condition since we will treat AccountHasBeenReviewedByManager as a condition attribute. We can enforce it at environment match, rule conditon, and rule condition with variable reference. I would like to know your recommendations on how to enforce the condition.

Thanks a lot!

hao

Best Regard


--- On Mon, 11/3/08, Oleg Gryb <oleg_gryb@yahoo.com> wrote:

> From: Oleg Gryb <oleg_gryb@yahoo.com>
> Subject: RE: [xacml-users] Help on ResourceConent <-- On XACML Architecture
> To: "Balaji Kannadassan" <balajika@nortel.com>, d95776@yahoo.com
> Cc: xacml-users@lists.oasis-open.org
> Date: Monday, November 3, 2008, 12:12 PM
> Balaji,
> 
> Since you've mentioned "architecture"
> you're probably trying to create a XACML-based authz
> architecture for your client. If this is the case you'll
> probably find my experience interesting.
> 
> I think, the major problem that a security architect needs
> to solve in the case of XACML-based solution is attribute
> resolution mechanism. We had a discussion on this forum in
> the past and had some disagreements, but it looks like all
> arguing parties had agreed that XACML-based authz solution
> will have a very limited value if it doesn't have
> dynamic attribute resolution mechanism in place. I think,
> the other thing that we agreed on was that the latter
> mechanism is poorly defined in XACML 2.0.
> 
> Practical consequences of that could be that vendor's
> implementations of attribute resolution could be (and they
> actually are for vendors that I've evaluated) absolutely
> incompatible that could lead to vendor "lock in
> situation", which any architect should try to avoid.
> 
> The best solution that I found was not to rely on context
> handler that can be called from PDP, but resolve all
> attributes before request hits PDP. Sequence diagram at
> http://gryb.info/images/attrs.jpg provides more details.
> 
> I think this approach could be used in scenario that has
> been described by Hao. In his case a client would need to
> submit: account ID and subject ID with roles in initial
> request. Attribute resolver, presented at the diagram, would
> use the account ID attribute to create yet another attribute
> - "AccountHasBeenReviewedByManager". The enhanced
> request will be sent to PDP that will not care about
> attribute resolution any more. I think the behavior of PDP
> itself (without context handling) is defined fairly well in
> XACML 2.0. That definition plus conformance tests will give
> you a very high degree of confidence that PDP engine
> vendor's implementations (without context handling) are
> compatible.
> 
> Hope it helps,
> Oleg.
> 
> 
> 
> --- On Mon, 11/3/08, Balaji Kannadassan
> <balajika@nortel.com> wrote:
> 
> > From: Balaji Kannadassan <balajika@nortel.com>
> > Subject: RE: [xacml-users] Help on ResourceConent!
> > To: "Roland Illig"
> <roland.illig@gmx.de>
> > Cc: xacml-users@lists.oasis-open.org
> > Date: Monday, November 3, 2008, 3:53 AM
> > Hi Roland!
> > 
> >    It wasn't specified anywhere since you said in
> > standard xml its not
> > implemented assume its 1.0v is standard. Sorry if I
> have
> > confused you,
> > So on whole it's the difference between the usage
> of
> > AttributeSelector
> > and AttributeDesignator. So if I am using Attribute
> > Designator hyperlink
> > or location would suffice rt ?.  Since in the example
> of
> > DoB they use
> > Attribute Selector prefetched details are placed.
> > 
> > Other Experts >> Please do help me in my
> > understanding of the request
> > flow on the XACML Policy architecture ?. 
> > 			Is my understanding rt as stated below  on
> > PDP/PEP/PAP/PIP ?
> > 
> > Thanks
> > Balaji Kamal Kannadassan
> > 
> > -----Original Message-----
> > From: Roland Illig [mailto:roland.illig@gmx.de] 
> > Sent: Monday, November 03, 2008 2:08 PM
> > To: Kannadassan, Balaji (AMR:8826)
> > Cc: xacml-users@lists.oasis-open.org
> > Subject: Re: [xacml-users] Help on ResourceConent!
> > 
> > Balaji Kannadassan schrieb:
> > > Hi Roland!
> > > 
> > >     As you have said said that only embedded
> details
> > can be read by 
> > > 1.0v, had a doubt on how are these values
> prefetched,
> > so is it that
> > 
> > I meant: the <AttributeSelector> can only search
> > inside the <Request>
> > XML that is provided to the PDP. I know that the
> > <*AttributeDesignator>s
> > can get arbitrary information.
> > 
> > >         a) PEP send that the detail of the doctor
> who
> > wanted to read 
> > > bart's DOB
> > >         b) Context Handler will prefetch DOB
> details
> > via PIP and place
> > 
> > > it in the Resource Content and push it across to
> PDP.
> > >         c) Now PDP has all these prefetched
> detail
> > >         d) PDP takes a decision on what to with
> > operation the person 
> > > wants to do via PAP
> > 
> > I don't know that part of XACML very well, so I
> cannot
> > say definitely
> > how it works.
> > 
> > > So in 1.0 PDP didn't had the provision to
> delve
> > into just the 
> > > hyperlink for the record provided. In 2.0 there
> is an
> > enhancement for 
> > > the same to get the details from the hyperlink.
> > 
> > Oh, I didn't know that. Where is it defined?
> > 
> > Roland
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> > xacml-users-help@lists.oasis-open.org