OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] [Issue] How many resourceIds in request context?


I agree with Ann.  There is no need to have one and only one
resource-id.
Resource-id is no better then any other attribute.

Some random thoughts below.

That what I see as a problem with the current XACML:  structure of the
rule target is unnecessary rigid, making it problematic to map it to
many environments.

Rule is an operation that maps/selects a subset of context attribute
value space into decision.   Request selects a particular point in this
space (particular values for all attributes).

The only reason to have "target" keyed on particular dimensions of this
space (particular attributes such as resource-id), is efficiency: it is
easier to pre-select rules that do not apply.  And we do not have a
particularly clean solution at that - as we allow regular expression
type operations in the target portion. The fact that we pre-select
particular four scopes is just an artifact.

I know I am late with the scoped attribute proposal for 2.0, but that
what
I think may be needed.   

1) Scopes should not be associated with "resource", "subject" etc, but
rather with data sources.  There usually multiple scopes for user data
alone, for example, no need to shove them all into the "subject" scope
2) Rule target should do what it is designed to do - simplify rule
management, so no regular expressions in this portion of the rule.  But
we may allow multiple "Conditions", to place this operation...
3) Rule target should have any number of attributes used, from arbitrary
scopes.  All these operation should be combined with logical "AND". PDP
may analyze it to determine what attribute to use for indexing.  We may
call it an index element.  Something as (ignoring bags for a second):

<Rule> 
	<Index scope="resource" attribute-name="resource-id"
attribute-type="string">Patient-record</Index>
	<Index scope="LoginSubject" attribute-name="userid"
type="integer">42</Index>
	<Index scope="PSsubject" attribute-name="userid
type="string">Bob</Index>
	<Condition>...</Condition>
</Rule>

There is no need to fix what may be in the target...  Nor the action,
nor the subject.  No attribute is better then another one.



-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] 
Sent: Monday, January 05, 2004 8:33 AM
To: Tim Moses
Cc: 'XACML'
Subject: Re: [xacml] [Issue] How many resourceIds in request context?

Tim,

Some people, including Hal and, I think, Seth, believe that there
absolutely must be one and only one resource-id attribute.  The
reasoning is that any Request must at least specify the
resource-id in order to know what is being accessed.

I disagree with this view.  I believe a resource could be
described via attributes other than its resource-id.  For
example, a Request could ask for access to a resource that has a
security label of "Top Secret".  The policy may not care what the
resource-id is, but is willing to grant or deny access based on
whether the Subject has a corresponding security clearance
attribute.

If we ever support partial evaluation, then cases arise in which
there may be no resource attributes in the Request at all,
because any resource attributes have already been factored out of
the policy to be evaluated.  This applies also to subject and
action attributes.

Anne Anderson

On 5 January, Tim Moses writes: [xacml] [Issue] How many resourceIds in
request context?
 > From: Tim Moses <tim.moses@entrust.com>
 > To: 'XACML' <xacml@lists.oasis-open.org>
 > Subject: [xacml] [Issue] How many resourceIds in request context?
 > Date: Mon, 05 Jan 2004 11:12:20 -0500
 > 
 > Colleagues - In section 6.3 of v1.1 we define the syntax for
 > <xacml-context:Resource> thusly:  
 > 
 > 	<xs:element name="Resource" type="xacml-context:ResourceType"/>
 > 	<xs:complexType name="ResourceType">
 > 		<xs:sequence>
 > 			<xs:element ref="xacml-context:ResourceContent"
 > minOccurs="0"/>
 > 			<xs:element ref="xacml-context:Attribute"
 > minOccurs="0" maxOccurs="unbounded"/>
 > 		</xs:sequence>
 > 	</xs:complexType>
 > 
 > Consider the 5th line (... ref="xacml-context:Attribute" ...).
 > 
 > Below, we say:
 > 
 > "The <Resource> element MUST contain one and only one <Attribute>
with an
 > AttributeId of "urn:oasis:names:tc:xacml:1.0:resource:resource-id"."
 > 
 > The "minOccurs="0"" in line 5 and the "one and only one" below it
appear to
 > conflict.
 > 
 > I expect we mean "no more than one".  Can I go ahead and change this?
All
 > the best.  Tim.
 > 
 > -----------------------------------------------------------------
 > Tim Moses
 > 613.270.3183
 > 
 > To unsubscribe from this mailing list (and be removed from the roster
of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro
up.php.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro
up.php.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]