[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Policy question
On 05/13/2014 08:53 AM, Maarten Decat wrote:
Ray,1.Anybody who can see a document is allowed to see all comments on it.This is tricky. You can perhaps do it with the access-permitted function (section A.3.16 of the standard), but implementation of this function is optional and I don't expect many XACML engines to actually implement this (it's just too tricky to get this right without open up the PDP to denial of service)Indeed it is tricky. I don't think you can express this as you stated it here. I.e., I don't think XACML allows you to refer to the result of another policy evaluation in this sense, especially not because the object of the latter evaluation (document) would differ from the object of the former evaluation (document).
Read section A.3.16 (the one describing the access-permitted function). It is quite clear from that section that this is indeed possible. I wouldn't recommend it though for the reasons I gave above.
David's approach seems better to me, so here's my take on it: PolicySet CombiningAlg=DenyOverride { Target (high-level resource = document) Policy Target (action = read access) Rule (if not read access to document deny) ... (other policies) ... Policy (no conditions) Permit }When you try to read a comment, the PEP translates this to a hierarchical request. The higher level hierarchical resource is the document, the lower level are the comments. Therefore the evaluation goes into the PolicySet above.
Then the first policy checks if the subject has read access to the document and if not it denies access.
If all other requirements are fulfilled (the '...' each of which could deny access), the evaluation falls through to the last policy which is an unconditional permit.
This policy would control both, read access to the document and to the document comments.
/Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]