[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Action implication and propagation in XACML
ACTION IMPLICATION AND PROPAGATION IN XACML
EXECUTIVE SUMMARY
=================
I do not believe any of the proposed solutions solves the problem
of action propagation. Expressing simple action implication can
be done with action-match types of functions.
PROBLEM 1: ACTION IMPLICATION
=============================
How to model policies where permission to perform one action
includes ability to perform another action.
EXAMPLE: in some hypothetical system, a Policy granting
permission to perform action X should match actions "X" and "Y".
Or maybe, a Policy granting permission to perform action "X,Y"
should match actions "X", "Y", "X,Y", "Y,X".
ONE SOLUTION: define a function "xy-action-match". This function
implements the action matching needed. This does not really seem
to be a big problem, and there are ways to handle it.
PROBLEM 2: ACTION PROPAGATION
=============================
How to model policies where permission to perform an action on
one resource depends on permissions granted to perform actions on
other resources. The problem can be constrained when associated
with hierarchical resources to say one resource depends on
permissions granted to perform actions on other resources having
a specified hierarchical relationship with the first resource.
EXAMPLE: in Unix File System file permissions, in order to "read"
a file, you must have "execute" permission (search) on all
directories from the file up to the root even if you specifically
have "read" permission on the file itself.
Sample Request: "Anne" wants to "read" file "/x/y/z"
<Request>
<Subject>
<Attribute AttributeId="subject-id" DataType="string">
<AttributeValue DataType="string">Anne</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="resource-id" DataType="string">
<AttributeValue DataType="string">/x/y/z</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="action-id" DataType="string">
<AttributeValue DataType="string">read</AttributeValue>
</Attribute>
</Action>
</Request>
How do we phrase a policy that would allow Anne to read that
file, and also captures that she must have "execute" permissions
on "/", "/x", and "/x/y"?
SOLUTION ATTEMPT#1: If we phrase the policy to say Anne must have
these permissions, then the policy looks like
<Rule Effect="Permit">
<Condition FunctionId="and">
<!-- execute permission on / -->
<Apply FunctionId="and">
<Apply FunctionId="string-equal">
<SubjectAttributeDescriptor AttributeId="subject-id" DataType="string"/>
<AttributeValue DataType="string">Anne</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ResourceAttributeDescriptor AttributeId="resource-id" DataType="string"/>
<AttributeValue DataType="string">/</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ActionAttributeDescriptor AttributeId="action-id" DataType="string"/>
<AttributeValue DataType="string">execute</AttributeValue>
</Apply>
</Apply>
<!-- execute permission on /x -->
<Apply FunctionId="and">
<Apply FunctionId="string-equal">
<SubjectAttributeDescriptor AttributeId="subject-id" DataType="string"/>
<AttributeValue DataType="string">Anne</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ResourceAttributeDescriptor AttributeId="resource-id" DataType="string"/>
<AttributeValue DataType="string">/x</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ActionAttributeDescriptor AttributeId="action-id" DataType="string"/>
<AttributeValue DataType="string">execute</AttributeValue>
</Apply>
</Apply>
<!-- execute permission on /x/y -->
<Apply FunctionId="and">
<Apply FunctionId="string-equal">
<SubjectAttributeDescriptor AttributeId="subject-id" DataType="string"/>
<AttributeValue DataType="string">Anne</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ResourceAttributeDescriptor AttributeId="resource-id" DataType="string"/>
<AttributeValue DataType="string">/x/y</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ActionAttributeDescriptor AttributeId="action-id" DataType="string"/>
<AttributeValue DataType="string">execute</AttributeValue>
</Apply>
</Apply>
<!-- read permission on /x/y/z -->
<Apply FunctionId="and">
<Apply FunctionId="string-equal">
<SubjectAttributeDescriptor AttributeId="subject-id" DataType="string"/>
<AttributeValue DataType="string">Anne</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ResourceAttributeDescriptor AttributeId="resource-id" DataType="string"/>
<AttributeValue DataType="string">/x/y/z</AttributeValue>
</Apply>
<Apply FunctionId="string-equal">
<ActionAttributeDescriptor AttributeId="action-id" DataType="string"/>
<AttributeValue DataType="string">read</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
But now the Request will have to have four resource-id Attributes
(for /, /x, /x/y, and /x/y/z) and two action-id Attributes
("execute" and "read"), and there is nothing in XACML that
relates the action "read" solely to the resource-id "/x/y/z" and
the action "execute" solely to "/", "/x", and "/x/y".
SOLUTION ATTEMPT#2: We could try to create a new "AttributeId"
that contains an XACML Policy saying Anne has "execute"
permission on each of "/", "/x", and "/x/y". The Request could
include an instance of this Attribute as an Attribute of the
Subject.
But there is nothing in XACML to allow us to match such input
Policies in a Request Attribute against required values in the
Policy being evaluated. We could define a new Function that can
compare such input Attribute values (containing Policy fragments)
against required values. But if Anne wants to list (execute) a
"/x", a new Rule will have to be written, even though her input
Policy Attribute says she already has permission to do that.
SOLUTION ATTEMPT#3: Simon's "first proposal for hierarchical
resources" allows the Policy to contain an element describing the
UFS Resource Model, and indicating that "read" implies "execute"
and that "execute" propagates up. Now the Policy can say "Anne"
has "read" access to "/x/y/z", and the PDP (if it understands the
UFS Resource Model element) will also know that Anne is allowed
to "execute" "/x" and "/x/y" without having to write separate
expressions for each.
But if the Request is for "Anne" to "execute" "/", then is the
PDP supposed to look for all expressions that match any resource
starting with "/" and action "read" or "search"? XACML does not
have syntax for expressing these kinds of connections between
resource and action attributes.
Simon supplied examples of specifying Resource Model elements,
but did not give examples of workable and useful policies that
made use of the information in those elements. I don't see how
the proposal would help in creating such policies.
SOLUTION ATTEMPT#4: Anne tried to create a function like the
solution described for Problem 1 above. This function would know
that "read" should match "read" and "execute" on any resource
above a stated resource. Again, XACML does not have syntax for
connecting a particular action with a particular resource in a
way that the PDP can tell they are to be treated as a unit.
CONCLUSION: I do not know of a solution to this problem.
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]