first proposal for hierarchial resources

This is a draft proposal for the xacml 1.1 work item 'Fully specified hierarchial resources'.

Resource model specification separates resource properties from the particular syntax used to express rules in the policy. In particular, properties such as authorization propogation up or down resource hierarchy are explicetly defined. Note that propogation is inherent property of the resource hierarchy and is distinct from the syntactic shortcuts.

In this proposal resource model is defined for the policy and does not vary from rule to rule. For the motivation behind this consider xml document use case. One can select abstract tree model or dom model. These two models have different requirements and different syntax.

There are several ways to specify resource model.

The simpliest is to attach optional ResourceModel attribute of the Policy element:

<xs:complexType name="PolicyType">

...

<xs:attribute name="ResourceModel" type="anyURI" use="optional"/>

</xs:complexType>

To make this more extensible we can define <ResourceModel> element and make it an optional child of the <Policy> element:

<xs:element name="ResourceModel" type="xacml:ResourceModelType"/>

<xs:complexType name="ResourceModelType">

<xs:attribute name="ModelURI" type="xs:anyURI" use="required"/>

</xs:complexType>

<xs:complexType name="PolicyType">

<xs:sequence>

<xs:element ref="xacml:ResourceModel" minOccurs="0"/>

</xs:sequence>
</xs:complexType>

When resource model is not specified, flat resource model is assumed.

Here are possible resource model uri's:

urn:oasis:names:tc:xacml:resource-model:flat-resource

urn:oasis:names:tc:xacml:resource-model:abstract-tree

urn:oasis:names:tc:xacml:resource-model:ufs

urn:oasis:names:tc:xacml:resource-model:dom

urn:oasis:names:tc:xacml:resource-model:ldap

Resource model can specify permission propogations. For example, 'search' permission on a directory in a file system requires 'search' permission on all ancestor directories up to the root. Resource model can state that 'search' permission on a node propogates 'search' permission on all ancestor nodes, unless overwritten by other rules. On the other hand, 'search' permission on the node in ldap directory does not require 'search' permission all the way up to the root. (Root is not actually defined in this case anyway). 'Read' permission on a node in the dom tree may propogate 'read' permission on descendant sub-tree, unless overwirtten by other rules.

Propogation can be defined with the <PropogationRule> element which is a child of <ResourceModel> element:

<xs:element name="PropogationRule" type="xacml:PropogationRuleType"/>

<xs:complexType name="PropogationRuleType">

<xs:attribute name="Action" type="xs:anyURI" use="required"/>

<xs:attribute name="Direction" type="xacml:Direction" use="required"/>
</xs:complexType>

Then resource model becomes:

<xs:complexType name="ResourceModelType">

<xs:sequence>

<xs:element ref="PropogationRule" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>

<xs:attribute name="ModelURI" type="xs:anyURI" use="required"/>

</xs:complexType>

We can call out standard resource models in the spec.

We can also tackle implication in this framework. For example, 'write' permission on a file implies 'read' permission on the same.

<xs:element name="Implication" type="xacml:ImplicationType"/>
<xs:complexType name="ImplicationType">

<xs:attribute name="Action" type="xs:anyURI" use="required"/>

<xs:attribute name="ImpliedAction" type="xs:anyURI" use="required"/>
</xs:complexType>

Then resource model becomes:

<xs:complexType name="ResourceModelType">

<xs:sequence>

<xs:element ref="xacml:PropogationRule" minOccurs="0" maxOccurs="unbounded"/>

<xs:element ref="xacml:Implication" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>

<xs:attribute name="ModelURI" type="xs:anyURI" use="required"/>

</xs:complexType>

Simple example:

</ResourceModel>

Simon

xacml message