OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] resource-id Attribute proposal


Below you say that the "minOccurs" for a resource should be zero,
yet you describe that "typically" it is is the "resource-id" attribute.

I suspect it's a typographic error. However, if it is to set the minOccurs
to 1 and you only say "typically carries the resource-id" we haven't
bought much in the way of guaranteeing that there is some known minimal
information there to work with.


 On Fri, 30 Aug 2002, Anne Anderson wrote:

> Summary of the issue:
>   During the TC conference call on 29 August 2002, we discussed
>   whether a Request <Resource> MUST contain an Attribute with
>   AttributeId="...:resource-id".
>   Polar argued that the resource might be identified by a more
>   general attribute, such as classification level: the <Subject>
>   is requesting access to all documents with the given
>   classification level.
>   Hal argued that this semantic implies that the PEP is doing its
>   own finer-grained access control, which is not part of the
>   XACML model, and that the specific resource to which access is
>   being requested MUST be specified by its id.  Hal also argued
>   that there was a security problem if resource-id is not listed,
>   since the policy might grant access to resources it did not
>   intend.
> Proposal:
>   I propose that we make minOccurs on <Resource> <Attribute>
>   equal to 0, and use the following wording in describing
>   <Resource> <Attribute>:
>   "At least one Attribute must be present for the <Resource> if
>   <ResourceContent> is not present.  Typically, an Attribute with
>   AttributeId equal to
>   "urn:oasis:names:tc:xacml:1.0:resource:resource-id" will be
>   present to identify the resource to which access is being
>   requested."
> Comments:
>   I do not think Hal's security issue holds up: if a policy wants
>   to grant access only according to resource-id, then its target
>   or conditions will always reference the resource-id attribute.
>   In that case, if the attribute is not present, the policy will
>   not apply or will be indeterminate.
>   My proposal allows for several models of access control.  It is
>   up to a policy writer to determine which models the policies
>   conform to.  It is up to a PEP to know which attributes must be
>   supplied for a given policy: one way to communicate this is
>   through a "missing-attributes" status code in the <Response> to
>   an initial <Request> that may contain minimal attributes.
>   XACML does not need to specify the model for access control or
>   the model for how required attributes are determined.
> Anne Anderson
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC