Re: [xacml] [policy-model] A Proposal

[ernesto damiani <edamiani@crema.unimi.it>]

Title: RE: [xacml] [policy-model] A Proposal

good idea.. but I strongly suggest test cases to be submitted in writing :-)

rgds

ernesto

----- Original Message -----

From: Tim Moses

To: xacml

Sent: Monday, December 10, 2001 3:38 PM

Subject: RE: [xacml] [policy-model] A Proposal

Colleagues - Hal makes a useful suggestion.  Perhaps we should devote the next couple of "model" telecons to the "test cases".  We'll have to do it some time.  So why don't we fully specify a good set of test cases (minus the XACML policy instance, of course).  Then we can invite people to submit the corresponding policies for consideration.  All the best.  Tim.

 

-----------------------------------------
Tim Moses
Tel: 613.270.3183

 

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Friday, December 07, 2001 9:24 AM
To: 'Simon Godik'; 'Tim Moses'; xacml
Subject: RE: [xacml] [policy-model] A Proposal

I think this is the kind of thing that cannot be argued in the abstract. A complete set of boolean operators can in principle, express any possible policy. However, it is possible that a particular scheme will make it very awkward to express common sorts of policies.

 

What we need is short example proposals of a possible expression and its semantics, along with examples of policies hard to express in alternative schemes. Bill did something of this sort a couple of weeks ago, but I would have liked to see the intended semantics stated more explicitly.

 

Hal

-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Thursday, December 06, 2001 5:54 PM
To: 'Tim Moses'; xacml
Subject: RE: [xacml] [policy-model] A Proposal

Tim,

I think that 'not' does not substitute for 'deny'. From my point of view 'not' is just a logical operation.

You can have 'not' condition in the grant statement and it may or may not fire. If 'not' something evaluates to false

you do not get a 'grant'. 'Deny' on the other hand has implications for role hierarchies and also can have 'not' conditions imbedded

in it. I agree with Michiharu that it is better to have explicit 'grant' and 'deny' (or some variation thereof)

 

Simon G.

-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Monday, December 03, 2001 11:20 AM
To: xacml
Subject: RE: [xacml] [policy-model] A Proposal

Michiharu - Thanks for this proposal on extensibility.  I suspect that we will delay discussion of extensibility points until the model is settled.  However, it will become important at that time.

In the model, as currently described, we do not include separate elements for "grant" and "deny".  Instead, the "deny" semantics are provided by "and" and "not" ...

<and>
<predicate>grant_condition</predicate>
<not>
<predicate>deny_condition></predicate>
</not>
</and>

With this approach, no explicit grant element is required: if the applicable policy evaluates TRUE, then the PDP may return the saml "permit" status code.

All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183

-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Monday, December 03, 2001 7:24 AM
To: xacml
Subject: [xacml] [policy-model] A Proposal

I drew a picture about the desirable extensibility of XACML policy model
based on the currently proposed XACML language document.

(See attached file: ModelProposal.ppt)(See attached file:
ModelProposal.pdf)

Best regards,
Michiharu Kudo