OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Reconciling potentially contradictory policies

Title: Reconciling potentially contradictory policies

Colleagues -

For the purposes of this discussion, let's use the word "policy" to mean the set of rules governing access to a resource/action pair that is defined by a single policy-writer (this assumes an "access-control" style of policy model).

There may be more than one policy-writer (and, therefore, more than one policy) governing access to a particular resource/action pair.

Generally, the PDP has to locate, retrieve and verify the policies applicable to the decision request that it is processing.

This raises the question: "How does the PDP locate, retrieve and verify the "complete list" of policies?"  And, the related question: "How does the PDP know which policy-writers are authoritative for the decision request that it is processing?"

Here is one practical answer.  There may be others.  But, I suggest that this one should be accommodated in our model.

If there were to be a single PRP for a particular resource, and the PRP were to be a "trusted" component, then it could be relied upon to return the complete list of policies written by all authoritative policy-writers that are relevant to the particular resource/action pair.

The PRP aggregates all the policies written by policy-writers who are authoritative for the resource (thereby serving an efficiency function).  And, it isolates the PDP from knowledge of individual policy-writers.

In this model, the PRP is responsible for administering policy-writers, reconciling any contradictions in the policies they write and assuring the integrity of the aggregate policy, as it is communicated to the PDP. 

In concrete terms, the PRP might offer an on-line interface to policy-writers, and construct and sign a single (self-consistent) policy, identified with the resource/action pair, distributing it (perhaps) via LDAP.

Alternatively, our model could allow a PDP to recognize multiple policy-writers for a given resource.  But, then it would be faced with the job of reconciling potentially contradictory policies "at run-time".

The upshot is, I think, that we need to define the PRP, and understand whether it is a trusted component, as I have described above, or simply a distribution channel.

All the best.  Tim.

Tim Moses
Tel: 613.270.3183

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC