[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [model] implementing global "deny" using 0.8 and meta-policies
Implementing global "deny" semantics using schema 0.8 and meta-policies USE CASE: policy is to deny access to Principal "Anne Anderson" under all conditions. The policy is distributed across many sub-policies, which are all combined to produce the global policy that is to be applied. Michiharu's concern was with needing to put something like <not> <equal> <valueRef entity="principal">saml:Subject/NameIdentifier/Name</valueRef> <value>"Anne Anderson"</value> </equal> </not> into every sub-policy if there was no global "deny" syntax. My proposed solution depends on the idea of having meta-policies. I think meta-policies solve multiple problems: 1. "where do I get policies", 2. knowing when you have obtained all the relevant policies, 3. knowing how to combine policies 4. being able to implement global "deny" and meta-policies does not introduce any new syntax. It is just very explicit in specifying what "applicable policy" means. SOLUTION Each PDP (or PRP) needs to be configured with a single policy that serves as that PDP's "meta-policy". The syntax of this single policy is exactly that in 0.8. This "meta-policy" determines where and under what conditions various sub-policies are retrieved. I may not be using <externalFunction> correctly, or the subpolicies may need more enclosing namespace information, but I hope these examples will give the idea. The final example shows how global "deny" semantics are implemented. EXAMPLE SIMPLE META-POLICY FOR DISTRIBUTED POLICIES: <?xml version="1.0" encoding="UTF-8"?> <applicablePolicy xmlns=... issuer="<identity that ultimately controls policy for this PDP>" policyName="..."> <!-- target omitted, since this policy applies to all targets --> <policy> <and> <externalFunction>http://www.site1/policy1.xml</externalFunction> <externalFunction>http://www.site2/policy2.xml</externalFunction> ... </and> </policy> </applicablePolicy> What is found at each of the <externalFunction> locations is another <applicablePolicy>, which may be more specific as to which resources it applies to (that applicablePolicy in turn may refer to still other policies). If one of these <applicablePolicy> elements does not apply to the current request, then the result is "does not apply" and does not affect the result of the <and> evaluation. META-POLICY THAT USES SUB-POLICIES BASED ON RESOURCE <?xml version="1.0" encoding="UTF-8"?> <applicablePolicy xmlns=... issuer="<identity that ultimately controls policy for this PDP>" policyName="..."> <!-- target omitted, since this policy applies to all targets --> <policy> <or> <and> <equal> <valueRef>saml:Resource</valueRef> <value>"file:/host1/*"</value> </equal> <externalFunction>http://www.site1/policy1.xml</externalFunction> </and> <and> <equal> <valueRef>saml:Resource</valueRef> <value>"file:/host2/*"</value> </equal> <externalFunction>http://www.site2/policy2.xml</externalFunction> </and> ... </or> </policy> </applicablePolicy> META-POLICY THAT IMPLEMENTS GLOBAL DENY SEMANTICS <?xml version="1.0" encoding="UTF-8"?> <applicablePolicy xmlns=... issuer="<identity that ultimately controls policy for this PDP>" policyName="..."> <!-- target omitted, since this policy applies to all targets --> <policy> <and> <not> <equal> <valueRef entity="principal">saml:Subject/NameIdentifier/Name</valueRef> <value>"Anne Anderson"</value> </equal> </not> <or> <and> <equal> <valueRef>saml:Resource</valueRef> <value>"file:/host1/*"</value> </equal> <externalFunction>http://www.site1/policy1.xml</externalFunction> </and> <and> <equal> <valueRef>saml:Resource</valueRef> <value>"file:/host2/*"</value> </equal> <externalFunction>http://www.site2/policy2.xml</externalFunction> </and> ... </or> </and> </policy> </applicablePolicy> For administrative ease in a more realistic situation, the set of globally denied attribute/value combinations would be placed in one <externalFunction> policy. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC