OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Policy question


Hi Ray,

I would model it differently. One could argue that you have 2 levels of resources: the document as a whole and and the fields or elements of the document. You could have a look at the XACML v3.0 Hierarchical Resource Profile Version 1.0.

The fact you have access to a document doesn't mean you have access to any of its fields. This begs the question: how do you classify fields? Do you have metadata on fields (e.g. sensitivity) or do you maintain a list of fields?

Here is a sample policy that does cover your use case through policy modeling (ALFA notation).

policy documentAccess{
target clause actionId=="view" and resourceType=="document"
apply firstApplicable
/**
* Comments-specific rule
*/
rule allowViewComments{
target clause fieldType == "comment"
permit
}
/**
* To view a document means to view its generic fields
*/
rule allowViewDocument{
target clause fieldType == "generic"
permit
}
/**
* A user can view sensitive fields if and only if they are assigned to the doc's project
*/
rule allowViewSpecialFields{
target clause fieldType == "sensitive"
permit
condition stringAtLeastOneMemberOf(userProject, documentProject)
}
}
policy comments{
target clause actionId=="edit" and fieldType=="comment"
apply firstApplicable
rule editOwnComments{
permit
condition commentOwner == subjectId
}
}




I hope this helps.


On Tue, May 13, 2014 at 8:53 AM, Maarten Decat <maarten.decat@cs.kuleuven.be> wrote:
Ray,


1.Anybody who can see a document is allowed to see all comments on it.

This is tricky. You can perhaps do it with the access-permitted function (section A.3.16 of the standard), but implementation of this function is optional and I don't expect many XACML engines to actually implement this (it's just too tricky to get this right without open up the PDP to denial of service)
Indeed it is tricky. I don't think you can express this as you stated it here. I.e., I don't think XACML allows you to refer to the result of another policy evaluation in this sense, especially not because the object of the latter evaluation (document) would differ from the object of the former evaluation (document).

I think a good option is to put all the rules which permit a user to see a document in a single policy. Then, you can refer to that policy (without the "see document" target) below the "see comment" target. Or just add "see comment" to the "see document target" so that the same rules apply to comments and documents. However, again this solution is a bit strange with regard to the object, since the attributes of the respective document would probably have to be present when evaluating the policy about comments.

Regards,

Maarten

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]