[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Is authorization decision a postcondition?
Hi Hal, > We need to decide as a matter of terminology, whether the > decision to allow or prohibit access is considered one of the > post conditions (presumably mandatory) or is it considered a > seperate thing? Personally I don't feel strongly either way, > but I would like to be clear on what is meant when the term > post conditions is used. I think that the post-condition should be separate from the access decision. In other words, the post-condition is just an option of the access control policy specification but the access decision (grant or deny) is not an option but a mandatory specification. >The simplest scheme is that if the conflict is resolved to true, then >all the post conditions that are associated with rules that evaluate to >true must occur and those associated with rules that evaluate to false > are not required to occur. But is this the right answer? I think that is right. You are considering the most complicated policy that allows post-conditions as well as positive and negative permission. In this case, the policy evaluator first resolves conflict w.r.t grant or deny access, then deal with post-condition(s) that are specified in the corresponding rules. In fact, there are four cases of the access decision as follows: 1. positive decision 2. negative decision 3. positive decision + post-condition(s) 4. negative decision + post-condition(s) The first two cases do not imply any post-condition. The third case means that "access is allowed but such and such post-condition(s) must be executed" The fourth case means that "access is not allowed but such and such post-condition(s) must still be executed" The fourth case sounds a little strange but it can represent some intrusion detection policy such as "access from xx.yy.zz is not allowed but notification must be sent to the security admin" >It just occurred to me that there is a substantive question related to this. >Currently, a policy conflict occurs when you have 2 or more rules and they >get different answers. Presumably this means how you decide to allow or not > allow access. But what about the various post conditions associated with the >rules? How does the PDP decide which post conditions should occur? There are a couple of ways to compute applicable post-condition(s). 1. Gather every post-condition specified in the applied policy rules (and optionally remove any duplicated condition) 2. Prioritize post-condition based on the applied policy rules and select the most appropriate one. 3. Prioritize post-condition based on the layer of the object and subject hierarchy in the applied policy rules and select the most appropriate one. For example, the post-condition written in the rule that is specified for more concrete group (project X) overrides the post-condition that is specified for more abstract group (department A). The first case is the easiest one and this could be a default post-condition resolution policy. The second and third cases need more information about rules and hierarchies and it can vary dependent on each application. Best regards, Michiharu Kudo From: Hal Lockhart <hal.lockhart@entegrity.com> on 2001/11/30 05:43 Please respond to Hal Lockhart <hal.lockhart@entegrity.com> To: Hal Lockhart <hal.lockhart@entegrity.com>, "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org> cc: Subject: RE: [xacml] Is authorization decision a postcondition? It just occurred to me that there is a substantive question related to this. Currently, a policy conflict occurs when you have 2 or more rules and they get different answers. Presumably this means how you decide to allow or not allow access. But what about the various post conditions associated with the rules? How does the PDP decide which post conditions should occur? The simplest scheme is that if the conflict is resolved to true, then all the post conditions that are associated with rules that evaluate to true must occur and those associated with rules that evaluate to false are not required to occur. But is this the right answer? Hal > We need to decide as a matter of terminology, whether the > decision to allow or prohibit access is considered one of the > post conditions (presumably mandatory) or is it considered a > seperate thing? Personally I don't feel strongly either way, > but I would like to be clear on what is meant when the term > post conditions is used. > > Hal >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC