Re: [xacml-users] Implementing UNIX file system acl using xacml

[rich levinson <rich.levinson@oracle.com>]

Hi Marco,

I suggest using regular expressions w hierarchical profile XACML 2.0.

This should be a straight-forward solution that we have experimented
a bit with on OpenAz and is described at tutorial level in old XACML
example document:
http://lists.oasis-open.org/archives/xacml/200406/msg00033.html
doc is attached to that email:
http://lists.oasis-open.org/archives/xacml/200406/pdf00003.pdf

Basic policy looks like:

<Policy PolicyId=”PortalPolicy” RuleCombiningAlgId=”&permit-overrides;”>
<Target>
<Actions>
<Action>
<ActionMatch MatchId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>read</AttributeValue>
<ActionAttributeDesignator AttributeId=”&action-id;”
DataType=”&string;”/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId=”Descendants:of:F” Effect=”Permit”>
<Condition FunctionId=”&and;”>
<Apply FunctionId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>Alice</AttributeValue>
<SubjectAttributeDesignator AttributeId=”&subject-id;”
DataType=”&string;”/>
</Apply>
<Apply FunctionId=”&anyURI-match;”>
<AttributeValue
DataType=”&string;”>http://www.example.com/F*</AttributeValue>
<Apply FunctionId=”&string-one-and-only;”>
<ResourceAttributeDesignator AttributeId=”&resource-id;”
DataType=”&string;”/>
</Apply>
</Apply>
<Apply FunctionId=”&not;”>
<Apply FunctionId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>I</AttributeValue>
<ResourceAttributeDesignator AttributeId=”&resource-id;”
DataType=”&string;”/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId=”Children:of:G” Effect=”Permit”>
<Condition FunctionId=”&and;”>
<Apply FunctionId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>Bob</AttributeValue>
<SubjectAttributeDesignator AttributeId=”&subject-id;”
DataType=”&string;”/>
</Apply>
<Apply FunctionId=”&anyURI-match;”>
<AttributeValue
DataType=”&string;”>http://www.example.com/F/G/*</AttributeValue>
<Apply FunctionId=”&string-one-and-only;”>
<ResourceAttributeDesignator AttributeId=”&resource-id;”
DataType=”&string;”/>
</Apply>
</Apply>
</Condition>
</Rule>
<Policy>

This note follows policy:

"Please note that this method may grant privileges to new directories and files that may be created in the
future under the existing directories. For example, if a new directory is created under directory F, then
this policy will give Alice the right to read anything in that new directory. This may or may not be the
intent of the policy writer, so caution is urged."

Thanks,
RIch


On 11/14/2011 10:02 AM, Marco Biagi wrote:

I think the best solution to the problem is to improve XACML _expression_ language.
Isn’t possible add a function to this standard every time we are not able to express something like this case study.
It would be usefull if is added in XACML a tag to define function directly in XACML.
In this way I could apply defined function in xacml direcly in "high order bag function" like the all-of:

<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:all-of”>
<Function FunctionId=”urn:oasis:names:tc:xacml:2.0:function:fooFunction”/>
.....
For example:

<functionDefine functionId="urn:oasis:names:tc:xacml:2.0:function:fooFunction">
<inputType dataType="...." />
<Apply ....

</Apply>
</functionDefine>

In this way could be possible refer the function by functionId and the auth logic would be expressed all in the XACML.

Thank you and best regards.

Marco

On 11/14/2011 03:03 PM, Tyson, Paul H wrote:

his is an important use case, and represents a general pattern that should be handled by XACML.  The 3.0 improvements to the hierarchical profile, and perhaps the 'access-permitted' function of XACML 3.0, might help.

I have not used XACML 2.0 in quite a while, so I would prefer to analyze this with respect to 3.0, but if you are stuck with 2.0 I will see what can be done.