OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: A challenging scenario for XACML

Hello all,

I have an interesting scenario, for which I have not found a satisfying 
solution in XACML. I wonder whether it's due to a bad modelling of the 
available information in attributes or if it's a limitation of XACML's
functionality. Either way I am glad for any comments. 

Caution, this is rather long!

The scenario is the following:

Organisations A, B, C and D share certain types of information
{1,2,3,4,5}
based on contracts.

An example set of contracts for organisation D cloud look like this:

<Contracts>
  <Partner name="A">
    <type>1</type>
    <type>2</type>
    <type>4</type>
  </Partner>
  <Partner name="B">
    <type>2</type>
    <type>3</type>
    <type>4</type>
  </Partner>
  <Partner name="C">
    <type>1</type>
    <type>5</type>
  </Partner
</Contracts>

meaning e.g. that A gives D access to information of types 1, 2 and 4.

Now I imagined my request would look something like this (in XACML 3.0
syntax, since you can't put content into the subject in XACML 2.0):

<Request>
  <Attributes Category="subject">
    <Content>
      <Contracts>
        <Partner name="A">
          <type>1</type>
          <type>2</type>
          <type>4</type>
        </Partner>
        <Partner name="B">
          <type>2</type>
          <type>3</type>
          <type>4</type>
        </Partner>
        <Partner name="C">
          <type>1</type>
          <type>5</type>
        </Partner
      </Contracts>
    </Content>
  </Attributes>
  <Attributes Category="resource">
    <Attribute AttributeId="partner">
      <AttributeValue>A</AttributeValue>
    </Attribute>
    <Attribute AttributeId="type">
      <AttributeValue>2</AttributeValue>
    </Attribute>
  </Attributes>
</Request>

meaning that a subject with the given contracts is trying to access
information of the type 2 at organisation A.


Now I want to write a policy that checks whether the resource attributes
are "covered" by the contracts given for the subject. I haven't found a
good way to do this.


Bad (IMHO) ways to do this include:

1.) Using complicated XPath 2.0 expressions
2.) Extending XACML with a custom made function that does this
3.) Change the encoding of the contracts to attributes that look like
this:
   <Attribute AttributeId="Contract">
     <AttributeValue>A:1</AttributeValue>
     <AttributeValue>A:2</AttributeValue>
     <AttributeValue>A:4</AttributeValue>
     <AttributeValue>B:2</AttributeValue>
     etc ...

What I am aiming at is a solution that is easy to understand for future 
administrators of these policies (that's why I reject my solution 1.),
that doesn't need custom extensions of XACML (reject solution 2.). The
reason I dislike my solution 3.) is that the attributes encode two
pieces of information (organisation and information type) in one.


Regards,

Ludwig Seitz


	  
-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)703 83 08 00    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |

This is a digitally signed message part

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]