RE: [xacml] policy subcommittee meeting on Dec. 10 - minutes

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: RE: [xacml] policy subcommittee meeting on Dec. 10 - minutes

> The current draft does not support explicit deny semantics for the
> rules but ``simulates'' them through the use of boolean operators for
> combining single rules. As an example if you want to give access to
> all EMPLOYEES but JOE, you would specify a rule where the
> pre-condition would give the permission to the principals satifying
> the predicates ``user is in EMPLOYEES but user is not JOE''. You would
> then combine this rule in AND with other rules.
>
> While operators can indeed be used in several cases instead of
> ``deny'' rules, they cannot however substitute them completely. The
> problem is that the ``is not JOE'' portion of the precondition above
> applies only within the rule and it has not effect on other rules of
> the policy (even if the rule is combined in AND).

This is exactly why I said we must examine proposals with completely specified semantics. You seem to be assuming some semantics which at best are just one of several choices, and to me seen counter intuitive.

When I learned logic, the following would evaluate to false for "Joe", therefore access would be denied.

(group = "employee") and (not(user = "Joe"))

Suppose I combine that with another rule using AND, for example:

((group = "employee") and (not(user = "Joe"))) and (time is between 9:00 - 17:00)

This still evaluates to false for Joe, so his access is still denied.

This is at least as reasonable a way to interpret these boolean expressions as any other.

> There is therefore a discussion on the explicit support of negative
> rules (``deny''), where the presence of ``permit'' and ``deny'' rule
> for a same request could be solved in different ways (denials take
> precedence being an example of that).
>
> It is noted that deny semantics can bring side effects in the policy
> composition process (XACML allows policies to be combined with boolean
> operator to produce a global policy, e.g., P = P1 AND P2; P = P1 OR
> P2).

I don't think we have any agreement on how policies are combined. Certainly this is one possible way.

> For instance, suppose global policy P is defined as P=P1 OR
> P2. Consider a request R, and suppose that P1 has a ``permit'' for R.
> Would what P2 says make a difference for the overall decision? In
> other words what if P2 has a ``deny'' for R? should it be different
> from the case wher P2 does not have anything for R? (if so the
> composition would become much more complicated and the evaluation
> process less efficient as all the policies in an expression should be
> evaluated always).
>
> There is general consensus among the people on the concall that policy
> composition should operate on the decisions of the policy, not on the
> rules in it.

I don't understand what you mean by this at all.

>So whether P2 could have a negative response to the
> request because of the absence of a ``permit'' for it or because of a
> ``deny'' for it should not make a difference.

I think I agree with that, but I am not sure.

I think Bill is correct in his response: There are two general approaches.

1. Some kind of syntax which makes explicit the order of operations. This could be some precedence between permit or deny, or the rules of evaluation of some grammer, e.g. infix notation, postfix notation, etc.

2. A convention of evaluation in textual order of specification.

Number 2 is problematic if policies are generated independantly by multiple parties.

Hal