OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] Is authorization decision a postcondition?


Hi Hal,

> We need to decide as a matter of terminology, whether the
> decision to allow or prohibit access is considered one of the
> post conditions (presumably mandatory) or is it considered a
> seperate thing? Personally I don't feel strongly either way,
> but I would like to be clear on what is meant when the term
> post conditions is used.

I think that the post-condition should be separate from the
access decision. In other words, the post-condition is just an option
of the access control policy specification but the access decision
(grant or deny) is not an option but a mandatory specification.

>The simplest scheme is that if the conflict is resolved to true, then
>all the post conditions that are associated with rules that evaluate to
>true must occur and those associated with rules that evaluate to false
> are not required to occur. But is this the right answer?

I think that is right. You are considering the most complicated policy
that allows post-conditions as well as positive and negative permission.
In this case, the policy evaluator first resolves conflict w.r.t grant or
deny access, then deal with post-condition(s) that are specified in
the corresponding rules.

In fact, there are four cases of the access decision as follows:
1. positive decision
2. negative decision
3. positive decision + post-condition(s)
4. negative decision + post-condition(s)

The first two cases do not imply any post-condition.
The third case means that "access is allowed but such and such
post-condition(s) must be executed"
The fourth case means that "access is not allowed but such and
such post-condition(s) must still be executed"

The fourth case sounds a little strange but it can represent
some intrusion detection policy such as "access from xx.yy.zz
is not allowed but notification must be sent to the security admin"

>It just occurred to me that there is a substantive question related to
this.
>Currently, a policy conflict occurs when you have 2 or more rules and they
>get different answers. Presumably this means how you decide to allow or
not
> allow access. But what about the various post conditions associated with
the
>rules? How does the PDP decide which post conditions should occur?

There are a couple of ways to compute applicable post-condition(s).

1. Gather every post-condition specified in the applied policy rules (and
optionally remove any duplicated condition)
2. Prioritize post-condition based on the applied policy rules and select
the
most appropriate one.
3. Prioritize post-condition based on the layer of the object and subject
hierarchy in the applied policy rules and select the most appropriate one.
For example, the post-condition written in the rule that is specified for
more concrete group (project X) overrides the post-condition that is
specified for more abstract group (department A).

The first case is the easiest one and this could be a default
post-condition
resolution policy. The second and third cases need more information about
rules and hierarchies and it can vary dependent on each application.

Best regards,
Michiharu Kudo


From: Hal Lockhart <hal.lockhart@entegrity.com> on 2001/11/30 05:43

Please respond to Hal Lockhart <hal.lockhart@entegrity.com>

To:   Hal Lockhart <hal.lockhart@entegrity.com>,
      "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org>
cc:
Subject:  RE: [xacml] Is authorization decision a postcondition?





It just occurred to me that there is a substantive question related to
this. Currently, a policy conflict occurs when you have 2 or more rules and
they get different answers. Presumably this means how you decide to allow
or not allow access. But what about the various post conditions associated
with the rules? How does the PDP decide which post conditions should occur?

The simplest scheme is that if the conflict is resolved to true, then all
the post conditions that are associated with rules that evaluate to true
must occur and those associated with rules that evaluate to false are not
required to occur. But is this the right answer?

Hal

> We need to decide as a matter of terminology, whether the
> decision to allow or prohibit access is considered one of the
> post conditions (presumably mandatory) or is it considered a
> seperate thing? Personally I don't feel strongly either way,
> but I would like to be clear on what is meant when the term
> post conditions is used.
>
> Hal
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC