OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Agenda for Policy Subcommittee concall (Wednesday Mach 6,2002) (fwd)


it bounced back,i am sending it again hoping it will go through


---------- Forwarded message ----------
Date: Wed, 6 Mar 2002 16:25:45 +0100 (CET)
From: samarati@pinky.crema.unimi.it
Cc: xacml@lists.oasis-open.org
Subject: Agenda for Policy Subcommittee concall (Wednesday Mach 6, 2002)

Agenda for Policy Subcommittee concall (Wednesday Mach 6, 2002)

First of all apologies for having postponed the concall (also my mail
to the list bounced back and i found it out only next morning). 

Below is a description of my understanding of the issues we have to
decide. The objective is to try to have a summary view of what we have
been through w.r.t. policies, metapolicies, and rules and use it as a
basis for the discussion tonight (i do not have any proposal below, i
just tried to summarize the solutions that have been proposed with
their pros and cons). It is still not complete (metapolicies are
missing) and I might have certainly forgot something, but i hope it
will be useful for us at least to establish a path to go through and
take decisions on how to proceed.

Proposed agenda for tonight.

- Format of rules
- Format of policies
- Metapolicies
- Postconditions

It would be nice if we were to take some decisions on them (rather
than putting down the questions for the F2F) so to have a concrete
proposal to discuss at the F2F. 

I should apologize to Michiharu for having put post-conditions in the
agenda in the last two concalls and not having gone through
them. Problem is that we need to have the basics resolved before going
to post-conditions. Tonight we should be able to go over them (as
probably we should be getting a solutions for the other topics or
agree to put down the different approaches for a final decision next
monday at the F2F). 

Talk to you later 




Let us start on the aspects on which everybody agrees. 
We all agree to have a target associating with a policy. A target
specifies for which subjects, actions, and resources a given policy is
intended. The reason for assuming a target is mostly `efficiency' as
policies `not relevant' for an access can be simply ignored in the
access control process.

POLICY (elementary)
The basic element for defining a policy is a rule. A rule is the
corresponding of traditional authorizations. Intuitively, a rule
translates each of the possible regulations that we may want to be
enforced (e.g., a person may read any record for which the person is
the designated patient).

The rule is a boolean expression of predicates on attributes of
subject/resource/action that identifies to which subjects, resources,
actions, the rule applies. In principle, for clarity, the boolean
expressions could be separated into three different components:
- one for conditions on the subject
- one for conditions on the resource
- one for conditions on the actions.

The separation into the three different components has the advantage
of making the rules more readable. 

It has, however, the following disadvantages:

1) there are predicates that span the domains. For instance where
   should we put a predicate requesting equality between the user
   identifier of the request (subject attribute) and the owner of the
   resource (resource attribute)? A possible solution to this problem
   could be to predefine the fact that such conditions belong to the
   resource expression.

2) While the global boolean expression allows to combine subject's
   conditions and object's conditions in either AND or OR, the
   solution of having different expressions should assume one of this
   combinations (which would be AND, as it is typically done). For
   instance in the case of the global boolean expression I can say
   that a rule applies if ``subject expression OR object
   expression''. If I condider the expression independently I would
   have to specify two rules for stating the same authorizations.

Besides the conditions on the subject, resource, and action, the rule
can also have environment conditions (e.g., time of the request) or
other conditions (in case we want to support dynamic procedures).

The rule can also have associated post-conditions (ref. Michiharu)


However expressed a rule wants to specify how an access should be

Next aspect to deal with is then whether the rule should specify only
permissions (meaning a rule specifies only what is to be allowed).
There have been several discussions on the list. At first, for
simplicity considerations it was decided to support permissions
only. Later on everybody seemed convinced that permissions only are
not enough and, in the model we should look at considering a negative
form also. Discussions have looked at two (mutually exclusive) ways of
representing rules not in positive forms

1) Permissions and denials.  
   Intuitively, rules can be of two kinds. Positive or
   negative. Positive rules (or permissions) state which accesses are
   to be granted. Negative rules (or denials) state which accesses are
   to be denied. 

   Negative rules are convenient in the specification but they
   introduce the problem of dealing with conflicts. 

   A simple policy that could be applied is the
   `denials-take-precedence' by which if there are both a permission
   and a denial for an access the access should be denied (or, more
   correctly, the policy should respond `no'). 

   The simple denials-take-precedence may not be enough. For instance,
   even in the simple model of Apache users can choose between two
   different ways of evaluating the combination of permissions and
   Therefore something more should be supported. 

   In previous discussions it seems that a good solution would be to
   possibly associated with each policy a metapolicy regulating how
   the rules in it should be evaluated. Intuitively, the statement
   `order....' of Apache would be a metapolicy, as it would be the
   `denials-take-precedence' principle.
   It is worth noting here that it is not clear whether we would be
   able to support some of the possible conflict resolution approaches
   that had been mentioned in the discussions. For instance,  one
   approach that was often mentioned is the
   `most-specific-take-precedence') which state that the rule that
   should prevail should be the one on the most specific
   resource. Intuitively, the rule of a user overrides the one of a
   group, the rule of a file overrides that of a directory. 
   The problem is that this approach works under the assumption that
   there are the defined hierarchies and that the rules are spcified
   on elements of such a hierarchy. By contrast our rules are not so
   simple and use generic boolean expressions so it is not clear
   whether the subject or the resource in a rule is more specific that
   that in another rule. 

2) Necessary vs. sufficient conditions

  An alternative approach of supporting a form of rule different from
  a permission is to distinguish between rules specify conditions that
  are sufficient (as far as the rule is concerned) for the access and
  conditions that are necessary for the access, i.e., access can be
  granted ONLY IF they are satisfied. Intuitively, the first type of
  rules (i.e., sufficient) are equivalent to the permissions
  above. The second type of rules represent an alternative way of
  expressing denials. For instance, suppose access to some files must
  be restricted to doctors. In option 1 above you would have specified
  a negative authorizations for NONdoctors. In this option you would
  specify a rule that says that access to the file can be granted ONLY
  IF the requestor is a doctor. Intuitively, ONLY IF rules combine in
  AND with themselves and with all the IF rules. 

  The advantage of this option is that is simple and expressive enough
  for many cases. It is however true that it is less expressive and
  flexible than option 1 since it predefines the way rules should be
  evaluated (intuitively, it corresponds to the support of


However the rules are expressed another issue to solve is how rules
are put together to form a policy. Here two proposals have come out
from the discussions

1) A policy is a boolean combination of rules. This means that a
   policy for instance can say things like 

  Rule1 AND (Rule2 OR Rule3)

  Here my guess is that the semantics of such specifications are not
  clear (or at least is not clear to me). I will leave to others
  (Tim??) to say something more on this.

   [note/doubt: there are cases where constraints on access need
   indeed to be combined in AND. One example is restrictions on a
   specified at different level of granularity of a hierarchy where
   you impose that to access a resource somebody should be authorized
   for the access on all its ancestors, e.g., like in Unix you need to
   have the x on all directories to access a file. But i do not think
   supporting AND of rules would be proper to handle these cases].

2) A policy is a set of rules. Intuitively, here if all the rules are
   positive is like if they were considered in OR (it is sufficient
   that one rule is satisfied for the access to be granted). If rules
   can be negative then how the set should be evaluated depends on the
   metapolicy. If rules can be in ONLYIF format they are evaluated as
   discussed above. 


In its elemantary form a policy is composed of rules. It would be
useful to have policies defined based on other
policies. Non-elementary policies are defined on the basis of other
policies. In the discussions we have always assumed non-elementary
policies to be boolean expressions of policies. In other words, assume
each policy is assigned an identifier, than a non-elementary policy
could be defined as 

P = P1 AND (P2 OR P3)

The semantics of such a policy should be that P allows an access if P1
allows it AND if either P2 or P3 allow it. 

The semantics and the result of the AND and OR operators applied to
policy should be defined with reference to the values that a policy
can return. A policy can return value:
- Allow
- Deny
- I do not care

where the Deny can be returned because of a negative rule or also
because of the absence of a positive rule in a policy applying a
closed principle (i.e. whatever is not explicitely authorized should
be denied). We may want to distinguish within a policy whether we want
to return `deny' or `i do not care' (meaning i am not allowing it do
whatever others say'). 

In previous discussions it was noted that it seemed strange to allow
boolean expressions for combining policies and not allowing it for
rules. Personally i do not think so since boolean expressions for
combining policies have a clear semantics and work on the policy
outcome (not on the rules within them). 

If we go for policy combinations we may want to put some restrictions
on the target of policies appearing together in a boolean
expressions. Probably it should be enough to ask targets to be
overlapping (requesting equality would seem too strong). Evaluating if
targets are overalling may be not easy. Also if targets are only
overlapping it could be that one policy has nothing to say on an
access, probably on this case the policy should simply respond `i do
not care', (we could also use `not applicable').

An alternative way of defining policies on other policies is to
consider a policy as a set of policies and specify how they should be
evaluated in a metapolicy. The reason for such a solution would be to
be on line with how the rules are treated within a policy (in case we
define a policy as a set of rules). However, it does not seem to have
the same flexibility and expressiveness. Also, a metapolicy would need
in this case to refer to specific policy identifiers, while a
metapolicy is intended to describe behavior w.r.t. properties/types of
policies and rules.

to do 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC