OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] xacml context, part 1

Here is an overview of xacml context.
I was concentrating on basic ideas and examples.
Schema and more complicated examples will follow shortly.
Xacml context, part 1.

Xacml context is the specification of the generic data level interface
to the xacml processor (Michiharu).

Xacml input context is broken down into a number of components:
'subject', 'resource', 'action', and 'other'.

(There is output context as well, it will be in part 2).

Request processing and context construction is defined by the xslt
transformation included in the policy. (see Michiharu document for

For the purposes of this description it is enough to say that all
data related to the requesting subject is placed under the 'subject'
section of the context, content of the protected resource (if any) is
placed under the 'resource' section, and requested action is under
the 'action'. If request is carrying assertions about subject other
than the requesting subject they are placed under the 'other' section
of the context. All assertions about resources are placed under 'other'
section as well.

Note that environment is not included in the context.

<x:Context xmlns:x="http://www.oasis-open.org/committees/xacml";>
      <--- everything about requesting subject
      <--- content of the protected resource, (if any)
      <--- requested action(s)
      <--- everything about other identities and resources

Xacml Attribute.
One of the central abstractions of the context is xacml attribute.
Xacml attribute is a remake of saml attribute assertion and it is
qualified with the attribute issuer, attribute issue instant,
attribute holder, and attribute data.

Structural details of the xacml attribute are given in the schema.
Here I want to show how xacml attribute is constructed.

Xacml attribute issuer is an entity that issued attribute. It can be
saml attribute authority, saml authentication authority, pep, etc.

Xacml attribute issue instant is time instance when attribute was issued.
If attribute authority is pep then issue instant is the time when request
was made.

Xacml attribute holder is the entity that owns this attribute. Attribute
can be owned by the identity, or by the uri.

If attribute owner is the requesting subject, attribute is placed under
the 'subject' section of the context, otherwise it is placed under the
'other' section of the context. When attribute is placed under the
'subject' portion of the context, it's holder can be ommitted.

Although 'requestor' is inserted as the first child of the 'subject' portion
of the context, requesting subject is also made into xacml attribute.

As an example, let's look at saml authorizaion query where subject is
identified by x509 name:
   <s:NameIdentifier format="X509Name">cn=bart simpson</s:NameIdentifier>

This will be made into xacml attribute with 'Issuer' field set to the
name of the PEP, 'IssueInstant' to the time request was made. Attribute 
name is 'X509Name'. 

Note that 'Issuer' is PEP because subject in the azn query
is not authenticated, and becomes authenticated only if authentication
assertion is included in the query evidence. When authentication assertion
is remade into the xacml attribute then 'Issuer' for that attribute is 
authentication authority.

<x:Attribute AttributeName="X509Name" Issuer="pep" IssueInstant="...">
      <x:NameIdentifier format="X509Name>cn=bart simpson</x:NameIdentifier>
   <x:AttributeValue>cn=bart simpson</x:AttributeValue>

If authentication assertion is found in the query evidence, xacml attributes
for authentication method, authentication instant, and authenticated subject
name will be inserted into the context. For all these attributes 'Issuer'
is authentication authority and 'IssueInstant' is time when authentication
was done.

Another interesting case is resource uri for which access is requested.
We treat resource uri as an attribute of a requesting subject with attribute
issuer being PEP and attribute issue instant the time request was made.

(As a matter of fact, all request parameters are treated this way as well).

Here is an example of xacml attribute for the resource uri:

<x:Attribute AttributeName="ResourceURI" Issuer="PEP" IssueInstant="...">
      <x:NameIdentifier format="X509Name>cn=bart simpson</x:NameIdentifier>

Here is an example of file modification time. Note that attribute holder is 
file uri, and this attribute will be placed under the 'other' section of the

<x:Attribute xmlns:x="http://www.oasis-open.org/committees/xacml";
   AttributeName="LastModified" AttributeFamily="www.files.com/ufs"
   Issuer="www.goodguys.com" IssueInstant="2002-05-31T15:20:12">

Example of a simple context.
Subject identified by the X509Name is making a request to read password
file. Subject is authenticated with name-password. Subject is a member of 
'administrator' group.

Note that <x:Holder> is ommited from attributes in the 'subject' section.

<x:Context xmlns:x="http://www.oasis-open.org/committees/xacml";>
      <x:NameIdentifier format="X509Name">cn=bart simpson</x:NameIdentifier>
   <x:Attribute AttributeName="X509Name" Issuer="PEP" IssueInstant="...">
      <x:AttributeValue>cn=bart simpson</x:AttributeValue>
   <x:Attribute AttributeName="AuthX509Name" Issuer="AA" IssueInstant="..">
      <x:AttributeValue>cn=bart simpson</x:AttributeValue>
   <x:Attribute AttributName="AuthenticationMethod" Issuer="AA" ...>
      <x:AttributeValue xsi:type="anyURI">
   <x:Attribute AttributeName="AuthenticationInstant" Issuer="AA" ...>
      <x:AttributeValue xsi:type="xsi:dateTime>
   <x:Attribute AttributeName="ResourceURI" Issuer="PEP" IssueInstant="..">
      <x:AttributeValue xsi:type="xsi:anyURI">
   <x:Attribute AttributeName="group" Issuer="AttrAuth" IssueInstant="...">
      <x:AttributeValue xsi:type="xsi:string">administrator</x:AttributeValue>
<x:ContextResource/> -- empty
<x:ContextOther/> -- empty

Simple rule: administrator is allowed to read password file.

<x:rule effect="permit" xmlns:x="...">
         <x:Attribute AttributeName="role">
            <x:AttributeValue xsi:type="xsi:string">
         <x:Attribute AttributeName="ResourceURI">
         </x:AttributeValue xsi:type="xsi:anyURI">

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC