[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] FW: Proposal (no longer a mystery!) for the path forward...
----------
From: Carlisle Adams
Sent: Monday, February 11, 2002 2:39 PM
To: 'Anne Anderson'
Subject: RE: Proposal (no longer a mystery!) for the path forward...
Hi Anne,
Thanks for raising these points. Some quick responses before it's time for our teleconference...
With respect to your point 1: I agree. On the other hand, Simon and Pierangela at least (and perhaps others as well) certainly seem to have the idea in mind that some sort of administration point pumps out isolated rules. All I wanted to do was understand this and embrace it in an overall model, recognizing explicitly that there are rules, policies (perhaps layered) and meta-policies.
With respect to 2: I was going to address this but didn't. Database entries need to be indexed and cross-referenced in some way that will allow efficient retrieval. I'm not a database expert and so I'm hoping that someone who is will help us all to understand this better. My guess at the moment, though, is that anything that is only about subject attributes will be put in a "subject" element, anything that is only about an action will be put in an "action" element, and everything that has to do with the resource, including all the mixtures (e.g., comparison of resource and action attributes), will be put in a "resource" element.
With respect to 3: This is what you and I discussed before and, until convinced otherwise, I still seem to be in favour of my original opinion. Yes, the Office of Age Discrimination (OAD) writes such a policy and does not know if additional policies should also apply to employees over 55 and does not know what policies apply to employees under 55. No disagreement there. But all this means is that the OAD does not write a higher-level policy that combines its over-55 policy with other policies, and it does not write the meta-policy for the PDP. This is entirely reasonable; you wouldn't expect it to write either of those policies. If a higher-level policy will be written, then whoever writes that will certainly need to know about the OAD policy as well as all others that are relevant and will combine them appropriately. The same is true for the meta-policy writer: that PAP may not know the details of the OAD policy (in fact, it is unlikely to), but it will know that OAD-issued policies do not override all other policies (otherwise only those forms meeting the OAD policy will ever get approved) and so it will put stuff issued by OAD into an OR with policies issued by other authorities.
Carlisle.
----------
From: Anne Anderson[SMTP:Anne.Anderson@Sun.com]
Sent: Monday, February 11, 2002 1:52 PM
To: Carlisle Adams
Cc: XACML TC
Subject: Re: Proposal (no longer a mystery!) for the path forward...
Several points:
1. It is important to realize that the unit of policy
administration is the "policy", and not the "rule". We need
to focus on what will make a "policy" easy to create,
reference, index, etc.
2. Discussion item 4): Why is a rule "clearly about a resource,
an action, or a subject"? How about where a rule is about a
resource and a subject, or about a resource and an attribute
of a subject?
Examples:
- "grant if subject security clearance level is greater than
or equal to resource security classification level"
- "grant if resource is employee-status-change-from, action is
"approve", resource signer role is "VP", and employee age is
greater than 55"
3. Discussion item 1): "It is not possible that a policy appears
to be applicable based on its applicability element, but
turns out not to be applicable once evaluation of the
contained rules takes place."
This is true only if the predicate in the applicability
element is sufficiently expressive that it can return FALSE for
ANY authorizationDecisionQuery to which the policy does not
apply. The simple predicates we have been discussing for the
applicability element are not sufficiently expressive: they
MUST return TRUE for ANY authorizationDecisionQuery to which
the policy applies, but MAY return TRUE for an
authorizationDecisionQuery to which the policy does not apply.
Example:
- The Office of Age Discrimination in the Human Resource
Department of Corporation S makes policies that will help
prevent age discrimination lawsuits. Such lawsuits arise
only with respect to employees who are over 55 years of
age. To ensure that such an employee is not terminated
without full review at a high level of management, the
Office of Age Discrimination issues the following policy:
"grant if resource is employee-status-change-from, action is
"approve", resource signer role is "VP", and employee age is
greater than 55"
This policy applies ONLY to employees whose age is greater
than 55. The Office of Age Discrimination does not know if
additional policies should also apply to employees over 55
(such as regular employee policies), and it does not know
what policies should apply to employees who are not over
55.
But the current "applicability rule" can not express the
fact that the policy only applies to employees who are over
55.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC