[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Boolean Policy resolution
Colleagues, Attached is the write-up of the Boolean Policy proposal (plain text) that I presented at the Face-to-Face. This version includes all the comments and modifications made during the review and discussion. Open issues that were not agreed on are in [...]. This was discussed prior to Simon's alternative proposal, so does not include additional modifications that may be required by that. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
Predicate: an expression that evaluates to TRUE, FALSE,
NOT-APPLICABLE, or ERROR. Relational expresssions,
Combinator expressions, <xacml:policy> elements,
<xacml:applicablePolicyReference> elements, and
<xacml:applicablePolicy> elements are all Predicates.
Relational expression: a Relational expression is a Predicate
that compares a value relevant to the Access Request with
another value relevant to the Access Request or with a
literal value.
A Relational expression never evaluates to NOT-APPLICABLE.
A Relational expression evaluates to ERROR if the expression
can not be evaluated for any reason, such as inability to
access a value in the predicate.
Combinator: an operator that can be used to combine
Predicates.
Combinator expression: A Combinator expression is the operator and the
Predicates to which it applies. A Combinator expression is
itself a Predicate.
A Combinator expression evaluates to ERROR if any of the
Predicates to which it applies and which are evaluated as
part of producing a result evaluates to ERROR.
A Combinator expression evaluates to NOT-APPLICABLE if all of
its component Predicates evaluate to NOT-APPLICABLE.
A Combinator expression in which some, but not all of the
Predicates to which it applies evaluates to NOT-APPLICABLE is
evaluated as if the NOT-APPLICABLE Predicates were removed
from the Combinator expression.
An empty Combinator expression evaluates to [NOT-APPLICABLE].
The xacml-defined Combinators are AND, OR, NOT, N-OF,
ORDERED-AND, ORDERED-OR, and ORDERED-N-OF. AND, OR, NOT, and
N-OF Combinators are implemented such that the order of
evaluation is not specified, and such that only a sufficient
set of predicates to determine a result are evaluated.
ORDERED-* Combinators require that the Predicates to which
they apply be evaluated in order until a result is obtained.
N-OF(*) means "at least N of" the Predicates to which it
applies must be TRUE.
E.g. <N-OF n=3>
P1
P2
P3
P4
</N-OF>
It is an error for an <N-OF> Combinator expression to have an
n= attribute value that is greater than the number of
predicates to which the combinator applies. n=1 is
equivalent to OR. [n=0 is ...].
The set of Combinators may be extended by [specifying a name
for the new Combinator, a URI that is associated with the
semantics of the new Combinator, and a type that specifies
the way the URI is to be interpreted. Not all XACML PDPs
will be able to interpret all extensions, but any PDP that
can handle the specified type and can access the specified
URI can handle the specified extended Combinator.]
An example of a possible extended Combinator is
BEST-MATCH-OR. [The type for such an extended Combinator
might be "JavaClass". The URI for each might point to a Java
class that takes a set of Predicates as input and implements
the semantics of the combinator to return a result of TRUE,
FALSE, NOT-APPLICABLE, or ERROR.]
Policy: an <xacml:policy> element. A Policy is a Predicate.
Base Policy: the <xacml:applicablePolicy> element that specifies
the <xacml:policy> element that a PDP will use [by default]
to evaluate all Access Requests.
[Alternative 1:
A PDP MAY have multiple Base Policies, but such Base Policies
SHOULD have non-overlapping <xacml:target> elements. This
specification does not specify the order in which multiple
Base Policies are evaluated, or the result if two or more
Base Policies have overlapping <xacml:target> elements.
Alternative 2:
Base Policies have restricted <target> elements that are
easily compared for overlap. In this alternative, the case
where base policies overlap is an ERROR. Note that the 0.8
syntax favors this alternative and allows Alternative 3.
Alternative 3:
There is only one Base Policy and it has no <target> because
applies to all Resource or it has a <target> element that
completely specifies the set of resources which this PDP is
prepared to handle.]
[A Base Policy for evaluating a particular Access Request may
be specified as part of the Access Request. If a PDP has no
default Base Policy, then the result of evaluating an Access
Request that does not specify a Base Policy to use is FALSE
(deny access).]
<applicablePolicyReference>: an XACML Predicate element that
references an <xacml:applicablePolicy>. [Redundant: A
<xacml:applicablePolicyReference> Predicate returns a value
of NOT-APPLICABLE if its <xacml:target> element does not
match the [<saml:resource>] in the Access Request.] [The
syntax for a <applicablePolicyReference> will need to be
defined further, probably by specifying the Policy Authority
for the <applicablePolicyReference> along with other
information. Need to avoid cycles.]
Aggregate Policy: the collection of policies consisting of a Base
Policy along with the closure of the tree of any
<xacml:applicablePolicyReference> elements to which the Base
Policy may refer. If a Base Policy does not refer to any
<xacml:applicablePolicyReference> elements, then the
Aggregate Policy is equivalent to the Base Policy.
Example 1: a self-contained Aggregate Policy
<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy
xmlns=...
issuer="<identity that ultimately controls policy for this PDP>"
policyName="xxxx">
<!-- target is optional -->
<policy>
<or>
<equal>
<valueRef>saml:Subject/principalIdentifier/Name</valueRef>
<value>"Anne Anderson"</value>
</equal>
<equal>
<valueRef>saml:Subject/principalIdentifier/Name</valueRef>
<value>"Sekhar Vajjhala"</value>
</equal>
</or>
</policy>
</applicablePolicy>
Example 2: an Aggregate Policy containing a
<applicablePolicyReference> Predicate
<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy
xmlns=...
issuer="<identity that ultimately controls policy for this PDP>"
policyName="xxxx">
<!-- target is optional -->
<policy>
<or>
<equal>
<valueRef>saml:Subject/principalIdentifier/Name</valueRef>
<value>"Anne Anderson"</value>
</equal>
<applicablePolicyReference>
http://www.sun.com/CorporatePolicy
</applicablePolicyReference>
</or>
</policy>
</applicablePolicy>
The Sub-Policy obtained by doing a GET on
http://www.sun.com/CorporatePolicy is:
<applicablePolicy
xmlns=...
issuer="<identity that defines Sun Corporate Policy>"
policyName="xxxx">
<target resourceClassification="*.sun.com/*"
resourceToClassificationTransform="regularExpressionURI"/>
<policy>
<equal>
<valueRef>saml:Subject/principalIdentifier/Name</valueRef>
<value>"Sekhar Vajjhala"</value>
</equal>
</policy>
</applicablePolicy>
If the <Resource> in the Access Request matches "*.sun.com/*",
then this <xacml:applicablePolicyReference> will return TRUE,
FALSE, or ERROR.
If the saml:authorizationQuery Resource does not match
"*.sun.com/*", then this sub-policy will return
NOT-APPLICABLE. In this case, the Aggregate Policy is
equivalent to the single remaining predicate. A
<xacml:policy> element evaluates to NOT-APPLICABLE it its
outermost Predicate evaluates to NOT-APPLICABLE.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC