OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] XACML expressiveness (WAS: RE: [xacml-users] retrieving a list or query filter of resources the caller is authorized for)

In XACML, in general, what each module should do is defined but neither the code-base or APIs are defined.

As to the messages, only certain messages are defined, e.g. <Request>, <Response>, <Policy> (and <PolicySet>).

The XACML Library designer must supply an implementation for the pure XACML parts. The PDP and the Context Handler can be entirely inside the XACML Library (or a System Component) and may not have anything to do with the system direct (except for the Step 9. in the Figure 1).

As to the PEP and PIP, they are in two domains, XACML and the system. The PAP also may live in two worlds, XACML and the outside world, i.e. the Policy Editor system or end user.

Naturally, the system-related parts are programmed by the system designer.

As to the Attributes (subject, action resources, environment), they are also an XACML super-structre on top of the ordinary system entities. So, they are also dual natured. To deal with PIP, they have to implement XACML Attribute-compliant architecture over the system modules which deal with these entities. However, such details are not defined in the XACML specification, i.e. messages or APIs.

Even if an XACML Library (such as Sun XACML Library) is used, there are lots of codes that a system architect must supply to have the XACML rule engine in place. 

On the other hand, IF the PAP, PIP and PEP are "ready-made" (i.e comes as pre-made as a part of the entire system), you would have to do much less if you ever happen to need to extend its capability. You may be referring to this when you are saying "once you start customising...". (Needless to say that PDP and Context Handler are also "ready-made".)

In my experience, since we used Sun's XACML Library, we had to supply the entire PEP, plugins for PIP, a Policy Store for PDP. We did not require PAP, since we directly installed/updated Policies in the Policy Store with a TEXT Editor.


Figure 1.pdf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]