[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: A challenging scenario for XACML
Hello all, I have an interesting scenario, for which I have not found a satisfying solution in XACML. I wonder whether it's due to a bad modelling of the available information in attributes or if it's a limitation of XACML's functionality. Either way I am glad for any comments. Caution, this is rather long! The scenario is the following: Organisations A, B, C and D share certain types of information {1,2,3,4,5} based on contracts. An example set of contracts for organisation D cloud look like this: <Contracts> <Partner name="A"> <type>1</type> <type>2</type> <type>4</type> </Partner> <Partner name="B"> <type>2</type> <type>3</type> <type>4</type> </Partner> <Partner name="C"> <type>1</type> <type>5</type> </Partner </Contracts> meaning e.g. that A gives D access to information of types 1, 2 and 4. Now I imagined my request would look something like this (in XACML 3.0 syntax, since you can't put content into the subject in XACML 2.0): <Request> <Attributes Category="subject"> <Content> <Contracts> <Partner name="A"> <type>1</type> <type>2</type> <type>4</type> </Partner> <Partner name="B"> <type>2</type> <type>3</type> <type>4</type> </Partner> <Partner name="C"> <type>1</type> <type>5</type> </Partner </Contracts> </Content> </Attributes> <Attributes Category="resource"> <Attribute AttributeId="partner"> <AttributeValue>A</AttributeValue> </Attribute> <Attribute AttributeId="type"> <AttributeValue>2</AttributeValue> </Attribute> </Attributes> </Request> meaning that a subject with the given contracts is trying to access information of the type 2 at organisation A. Now I want to write a policy that checks whether the resource attributes are "covered" by the contracts given for the subject. I haven't found a good way to do this. Bad (IMHO) ways to do this include: 1.) Using complicated XPath 2.0 expressions 2.) Extending XACML with a custom made function that does this 3.) Change the encoding of the contracts to attributes that look like this: <Attribute AttributeId="Contract"> <AttributeValue>A:1</AttributeValue> <AttributeValue>A:2</AttributeValue> <AttributeValue>A:4</AttributeValue> <AttributeValue>B:2</AttributeValue> etc ... What I am aiming at is a solution that is easy to understand for future administrators of these policies (that's why I reject my solution 1.), that doesn't need custom extensions of XACML (reject solution 2.). The reason I dislike my solution 3.) is that the attributes encode two pieces of information (organisation and information type) in one. Regards, Ludwig Seitz -- Ludwig Seitz, PhD | Axiomatics AB Training & Development | Electrum 223 Phone: +46 (0)703 83 08 00 | S-164 40 Kista, Sweden Mail: ludwig@axiomatics.com |
This is a digitally signed message part
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]