RE: Minor XACML Spec errata and resource labels

[Anne Anderson <Anne.Anderson@Sun.com>]

Somehow I think you are confusing attributes of a resource with
policies for accessing the resource.

If the message itself is the resource being controlled, and you
want to associate with it the policy for who can access the
message for which actions, then it might be appropriate to
associate an XACML PolicySet with each message.  The XACML PDP
would be written to reference this PolicySet when presented with
a request to access the message by some user.

If, however, you want to label messages with one or more
attributes that will be used by various policies to control
access to the message (or to this message along with others),
then it might be appropriate to associate a sequence of XACML
Attributes with each message.

If you want to do something else, then you are probably going
beyond my understanding of DAC and of resource labels.  There may
be other members of the XACML TC who want to tackle this.  If
there aren't, then you might want to develop a draft profile for
how XACML would be used in your model, and shop it around to
groups that standardize use of resource labels.

Anne

On 21 April, Jeff writes: RE: Minor XACML Spec errata and resource labels
 > I am developing a messaging system that uses XML payloads. I
 > would like message originators to be able to classify and
 > otherwise label their messages with 'permissions'
 > (discretionary access control). Consequently, I need to choose
 > some sort of label format and devising my own is a last resort
 > (even if it uses XACML fragments).
 > 
 > I appreciate that XACML targets the 'PDP layer' and is
 > intended to be useful for all manner of existing resources
 > such as permissions associated with filing systems like
 > NTFS. In such cases though, software has to be developed that
 > maps from the native access rights to XACML Request
 > Attributes. For new systems it seems natural to use some sort
 > of standard XACML format.
 > 
 > I like the notion of using XACML Request Attributes but such
 > labels are often other than classifications: they can identify
 > subjects (especially roles) and their associated access levels
 > (read, write, etc.). Consequently, although this is pretty
 > simple stuff, it would be good to have a 'standard' generic
 > label such as:
 > 
 > 	<xs:element name="ResourceLabel" type="xacml-context:ResourceLabelType"/>
 > 	<xs:complexType name="ResourceLabelType">
 > 		<xs:sequence>
 > 			<xs:element ref="xacml-context:Subject" maxOccurs="unbounded"/>
 > 			<xs:element ref="xacml-context:Resource"/>
 > 		</xs:sequence>
 > 	</xs:complexType>
 > 
 > What would be great is an XACML standard format for including
 > access rights within SOAP messages and any other form of XML
 > resource.
 > 
 > (My previous notion of using a PolicySet was, in the absence
 > of something more appropriate like a ResourceLabel, an attempt
 > to make use of a 'resource-based policy' that would hold
 > access rights.)
 > 
 > 
 > Warmest regards,
 > 
 > Jeff
 > Cogent Logic,
 > Toronto, Canada
 > 
 > 
 > -----Original Message-----
 > From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
 > Sent: Monday, April 21, 2003 3:05 PM
 > To: jeff@cogentlogic.com
 > Cc: XACML TC
 > Subject: RE: Minor XACML Spec errata and resource labels
 > 
 > 
 > XACML as a language and as semantics for use by a Policy Decision
 > Point is at a separate "layer" from the representation of various
 > attributes in various systems.  XACML expects each AttributeId to
 > correspond to some "attribute" of an object, but XACML itself
 > does not specify that correspondence, how the attribute is
 > retrieved, or from where the attribute is retrieved.
 > 
 > If you want to associate an attribute to be used by XACML with a
 > resource, and you are free to define the format of that
 > attribute, the most straightforward correspondence would be to
 > define the attribute in the form of an XACML Request Attribute
 > (xs:complexType name="AttributeType" defined in XACML Context).
 > For example, you would specify a resource label consisting of
 > the classification scheme "U.S. Navy Document Classification
 > Scheme" with value "top secret" as
 > 
 >   <Attribute AttributeId="U.S. Navy Document Classification Scheme"
 >              DataType="...#string">
 >      <AttributeValue>top secret</AttributeValue>
 >   </Attribute>
 > 
 > and a representation of this would be stored in some attribute
 > repository in association with the resource to which it applies.
 > 
 > Even when using this definition, however, the XACML PDP (or its
 > associated "Attribute Finder") must know that this is the
 > representation being used, how to locate the attributes
 > associated with a particular resource, and how to retrieve those
 > attributes.
 > 
 > I do not see how associating a PolicySet with each resource
 > solves your problem.  Such a PolicySet might specify the policy
 > for which user attributes are required to access the resource
 > (e.g. which "clearance level" attributes and values), but this
 > does not define a "resource label".  Can you give an example of
 > what you are thinking of doing?
 > 
 > Anne Anderson
 > 
 > On 21 April, Jeff writes: RE: Minor XACML Spec errata and resource labels
 >  > Yes, classification schemes/values are good. Clearly, it is
 >  > essential that, in such cases, classification schemes/values
 >  > be made part of a PolicySet (as an "Attribute" of the
 >  > Resource, as you suggest).
 >  > 
 >  > My understanding is that a PolicySet is a relatively stable
 >  > XML document that will be used by software like a PDP. My
 >  > point is that the resource ITSELF (the thing being protected
 >  > not its reference in a PolicySet) needs to carry a label.
 >  > 
 >  > Consider individual resources such as files on a hard disk:
 >  > there would typically be very many files each with their own
 >  > INDIVIDUAL classification scheme/value. Hence, for complete
 >  > interoperability between disparate XACML systems there needs
 >  > to be a standard way of describing the classification
 >  > scheme/value that applies to each individual file. Now, I know
 >  > that what's important here is the Request and that
 >  > classification schemes/values for individual files will be
 >  > carried by the Request but I'm thinking of providing a generic
 >  > implementation and I would like a way of labeling files that
 >  > follows an XACML standard.
 >  > 
 >  > I'm inclined to think that individual instances of PolicySet
 >  > objects could be used to label each 'resource thing' but I
 >  > don't think that this is the intended use for PolicySets and I
 >  > was wondering if you had a better suggestion or could sanction
 >  > such a use of PolicySets!
 >  >
 >  > -----Original Message-----
 >  > From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
 >  > Sent: Monday, April 21, 2003 11:06 AM
 >  > To: jeff@cogentlogic.com
 >  > Cc: XACML TC
 >  > Subject: Re: Minor XACML Spec errata and resource labels
 >  > ....
 >  > I assume, by "resource label", you mean a classification scheme
 >  > and a classification value, such as "U.S. Navy Classification
 >  > System XYZ" "top secret".  This could be expressed in XACML as an
 >  > "Attribute" of the Resource.  The AttributeId could be a URN
 >  > indicating the classification scheme, and the AttributeValue
 >  > could be the classification value.
 >  > 
 >  > Does this satisfy your requirements?
 >  > 
 >  > Anne Anderson
 >  > 
 >  > On 19 April, Jeff writes: Minor XACML Spec errata and resource labels
 >  >  > From: "Jeff" <jeff@cogentlogic.com>
 >  >  > To: <Anne.Anderson@sun.com>
 >  >  > Subject: Minor XACML Spec errata and resource labels
 >  >  > Date: Sat, 19 Apr 2003 17:02:54 -0400
 >  > ....
 >  >  > I don't see anything in XACML relating to resource labels
 >  >  > (in fact the word label doesn't appear at all in
 >  >  > oasis-####-xacml-1.0.pdf!). Resource labels are part of the
 >  >  > authorization support in the X.509 standard and are used in
 >  >  > several RBAC implementations. Resource labels are useful in
 >  >  > enabling resource characteristics (i) to be set on
 >  >  > resources and (ii) to form part of access control
 >  >  > decisions. I feel sure that you must be aware of this and
 >  >  > can only conclude that a PolicySet is intended to act as a
 >  >  > resource label (in addition to acting as a policy set!). Is
 >  >  > this correct?
 > 
 > -- 
 > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
 > Sun Microsystems Laboratories
 > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
 > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
 > 
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692