[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Review of Section 8
- Change request to other sections: + Section B.10: Resource Attributes The identifier indicates the scope of the request with regard to the resource. When this attribute is specified in the request, the value MUST be either 'Immediate', 'Children', or 'Descendant'. - Change request to Section 8 Operational Model (normative) + Description change of Section 8.1 and new subsections 8.1 Policy Decision Point (PDP) Given a valid XACML "Policy" or a "PolicySet", a compliant XACML PDP MUST evaluate that statement in accordance to the semantics specified in Section 4,5, and 6 when applied to a specific input context. The PDP MUST return an output context, with one value of "Permit", "Deny", "Indeterminate", or "NotApplicable". If a permit is returned, the PEP permit access to the requested resource. If a denial is returned, the PEP denies access to the requested resource. If a permit with one or more obligations is returned, the PEP permits access provided that every obligations are fulfilled successfully. If a denial with one or more obligations is returned, the PEP denies access but still fulfills the obligations. In each case, when fulfilling obligations failed, the PEP SHOULD raise an error. How the error is raised is out of the scope of XACML. In any case, the PDP can return additional information in the status code element in the response context. For 'Permit' decision, it MAY specify which rules are used in decision making. If an indeterminate is returned, it means that the PDP could not make decision due to some reason. The PDP MAY return decision of "indeterminate" with a status code of "urn:oasis:names:tc:xacml:1.0:missing-attribute", signifying that more information is needed. In this case, the decision MAY list the names of any attributes of the subject and the resource that are needed by the PDP to refine its decision. A PEP MAY resubmit a refined request context in response to a decision of "indeterminate" with a status code of "missing-attribute" by adding attribute values for the attribute names that are listed in the response. When the PDP returns an decision of "indeterminate", with a status code of "missing-attribute", a PDP MUST NOT list the names of any attribute of the subject or the resource of the request for which values were already supplied in the request. Note, this requirement forces the PDP to eventually return a decision of "permit", "deny", or "indeterminate" with some other reason, in response to successively-refined requests. If not applicable is returned, it means that the PDP's policy does not cover the request, implying that the PEP should ask another PDP. XACML does not assume how top-level XACML policies should be configured. For example, a top-level policy might be a 'Policy' element containing a target element that matches every request, or it might be a 'Policy' element containing a target element that matches only a specific subject. 8.2 Hierarchical Resource It is often the case that a target resource is organized as a hierarchy (e.g. file system, XML document). Some applications may require access to an entire subtree of the resource. XACML allows the PEP (or Context Handler) to specify whether the access is just for a single resource or for a subtree below the specified resource. The latter is equivalent to repeating a single request for the entire subtree. When a request context contains a resource attribute of 'urn:oasis:names:tc:xacml:1.0:resource:scope' with a value of 'Immediate', or does not contain that attribute in the context, then it means that the access is just for a single resource specified by 'ResourceId' attribute. When 'urn:oasis:names:tc:xacml:1.0:resource:scope' attribute specifies a value of 'Children', it means that the access is for both a specified resource and its children resources. When 'urn:oasis:names:tc:xacml:1.0:resource:scope' attribute specifies a value of 'Descendant', it means that the access is for both a specified resource and all the descendant resources. In the case of 'Children' and 'Descendant', the access decision may include multiple results for the multiple resources. XACML response can contain multiple result elements. In such case, the status element SHOULD be included only in the first result element (the remaining result elements SHOULD NOT include the status element). Note that the method how PDP finds out whether the resource is hierarchically organized or not is out of the scope of the XACML. 8.3 Propagation through Data Hierarchy When the resource is hierarchically organized, it is often the case that an access control rule associated to a certain node propagates down to the descendant nodes. The XACML core rule combining algorithm does not support such propagation with regard to access control rules. Policy writers who need propagation MUST implement their own local algorithm and specify that algorithm ID in RuleCombiningAlgId in policy element. Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC