[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Notes from Focus Group 14 August 2003
Present: Frank Siebenlist Anne Anderson Hal Lockhart Steve Crocker There was no prior agenda, so topics discussed were at the initiative of the attendees. 1. SAML Authz Req/Resp sidebar at SAML F2F Frank Siebenlist expressed a preference for holding the proposed working session between OGSA and XACML TC people on Tuesday or Wednesday, rather than on Monday. Anne has sent this preference to the SSTC chairs. Frank mentioned that Rebekah Lepro (bekah@nas.nasa.gov, working on Grid projects at NASA Ames) has a lot of experience with the difficulty of mapping Attributes between the SAML Attribute format and the XACML Request format. He hopes this can also be addressed in SAML 2.0. 2. New web services policy language use case Frank described a use case that occurs in the Grid environment that is not currently included in the "Web-services policy language use-Cases and requirements" document: Schedulers/Brokers match scientists needing computational resources (CPU cycles, disk space, bandwidth) with sites offering such resources. Each site has its own policies regarding which scientists are authorized to use computational resources at that sites, and what limits exist on the use of such resources. This means each site must have a way of publishing its access requirements for use by the Schedulers/Brokers. It looks like the XACML Profile for Web-services could handle this. It might be easiest if the Profile allowed a published policy or rule to include attributes of the applicable subjects in the Target. Frank said WS-Policy can't handle such a requirement. It is clearly in the access control domain, so it is XACML's business to address it. 3. XACML Policy in SAML Response/Request Conditions Hal asked for the use cases behind XACML 2.0 Work Items #16 and 17. Anne said these came from Grid requirements, but also come up in support of authorization decision optimization. Use case for XACML Policy in Conditions of AuthzDecision: An XACML Policy might be included in the response to an SAML AuthorizationDecisionQuery in cases where a PDP associated with the Initiator of a Request was unable to completely evaluate the policy due to lack of information, but where another PDP associated with the Resource has the missing information (but perhaps not other information that was available to the first PDP). If the first PDP can return an AuthorizationDecision of the form "Permit IF Condition", where the Condition contains a partially evaluated policy stripped down to just the predicates involving the missing information. Use case#1 for XACML Policy in Conditions of AuthzDecisionQuery: Used by a resource that has received a Request for services along with an AuthorizationDecision of the above form. It passes the Condition containing the remaining policy to its own PDP for evaluation. Use case#2 for XACML Policy in Conditions of AuthzDecisionQuery: A resource may have its own policy. It receives requests directly from subjects. It passes its policy in the to the PDP as part of the Conditions element of the SAML AuthzDecisionQuery. 4. XACML TC FAQ Hal mentioned that he has a message for the DSS TC that is sent in response to requests for membership. This message explains that the requester should change their member status from Prospective Member to Observer if they do not intend to participate regularly in meetings. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]