[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] [Issue] How many resourceIds in request context?
I agree with Ann. There is no need to have one and only one resource-id. Resource-id is no better then any other attribute. Some random thoughts below. That what I see as a problem with the current XACML: structure of the rule target is unnecessary rigid, making it problematic to map it to many environments. Rule is an operation that maps/selects a subset of context attribute value space into decision. Request selects a particular point in this space (particular values for all attributes). The only reason to have "target" keyed on particular dimensions of this space (particular attributes such as resource-id), is efficiency: it is easier to pre-select rules that do not apply. And we do not have a particularly clean solution at that - as we allow regular expression type operations in the target portion. The fact that we pre-select particular four scopes is just an artifact. I know I am late with the scoped attribute proposal for 2.0, but that what I think may be needed. 1) Scopes should not be associated with "resource", "subject" etc, but rather with data sources. There usually multiple scopes for user data alone, for example, no need to shove them all into the "subject" scope 2) Rule target should do what it is designed to do - simplify rule management, so no regular expressions in this portion of the rule. But we may allow multiple "Conditions", to place this operation... 3) Rule target should have any number of attributes used, from arbitrary scopes. All these operation should be combined with logical "AND". PDP may analyze it to determine what attribute to use for indexing. We may call it an index element. Something as (ignoring bags for a second): <Rule> <Index scope="resource" attribute-name="resource-id" attribute-type="string">Patient-record</Index> <Index scope="LoginSubject" attribute-name="userid" type="integer">42</Index> <Index scope="PSsubject" attribute-name="userid type="string">Bob</Index> <Condition>...</Condition> </Rule> There is no need to fix what may be in the target... Nor the action, nor the subject. No attribute is better then another one. -----Original Message----- From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] Sent: Monday, January 05, 2004 8:33 AM To: Tim Moses Cc: 'XACML' Subject: Re: [xacml] [Issue] How many resourceIds in request context? Tim, Some people, including Hal and, I think, Seth, believe that there absolutely must be one and only one resource-id attribute. The reasoning is that any Request must at least specify the resource-id in order to know what is being accessed. I disagree with this view. I believe a resource could be described via attributes other than its resource-id. For example, a Request could ask for access to a resource that has a security label of "Top Secret". The policy may not care what the resource-id is, but is willing to grant or deny access based on whether the Subject has a corresponding security clearance attribute. If we ever support partial evaluation, then cases arise in which there may be no resource attributes in the Request at all, because any resource attributes have already been factored out of the policy to be evaluated. This applies also to subject and action attributes. Anne Anderson On 5 January, Tim Moses writes: [xacml] [Issue] How many resourceIds in request context? > From: Tim Moses <tim.moses@entrust.com> > To: 'XACML' <xacml@lists.oasis-open.org> > Subject: [xacml] [Issue] How many resourceIds in request context? > Date: Mon, 05 Jan 2004 11:12:20 -0500 > > Colleagues - In section 6.3 of v1.1 we define the syntax for > <xacml-context:Resource> thusly: > > <xs:element name="Resource" type="xacml-context:ResourceType"/> > <xs:complexType name="ResourceType"> > <xs:sequence> > <xs:element ref="xacml-context:ResourceContent" > minOccurs="0"/> > <xs:element ref="xacml-context:Attribute" > minOccurs="0" maxOccurs="unbounded"/> > </xs:sequence> > </xs:complexType> > > Consider the 5th line (... ref="xacml-context:Attribute" ...). > > Below, we say: > > "The <Resource> element MUST contain one and only one <Attribute> with an > AttributeId of "urn:oasis:names:tc:xacml:1.0:resource:resource-id"." > > The "minOccurs="0"" in line 5 and the "one and only one" below it appear to > conflict. > > I expect we mean "no more than one". Can I go ahead and change this? All > the best. Tim. > > ----------------------------------------------------------------- > Tim Moses > 613.270.3183 > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro up.php. > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro up.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]