Re: [xacml] On delegation constraints

[Frank Siebenlist <franks@mcs.anl.gov>]

Hi Erik,

Just to clarify, currently, the xacml-3 doc proposes that we can express:

"The policy-issuer states that only certain administraters are allowed 
to manage the access control policy for certain subjects to invoke 
certain actions on certain resources."

In this way the issuer can restrict the "administrators" to be a member 
of a certain group and such.

Adding one more level of administrators would yield something like:

"The policy-issuer states that only certain administraters are allowed 
delegate the administrative rights to certain other administrators to 
manage the access control policy for certain subject to invoke certain 
actions on certain resources."

Is this the extra level you're asking for?

Regards, Frank.



Erik Rissanen wrote:

> Hello everybody,
>
> In the current delegation draft (draft 1) there is a formulation in
> section 3 (on line 93) that defining a constraint for the subject of a
> delegated delegation right "seems too complex to be workable". I don't
> think this is the case and my experimental implementation has this
> feature. During the focus group meeting last week I raised a question
> about this and during the brief discussion there was a question about
> what the use cases for such a feature would be.
>
> I can see use cases in the application I am involved in. There is a
> desire to limit administrative rights to only certain people. In our
> case it could be to limit the administrative rights to people within a
> headquarters or to only people who have certain training.
>
> I can also imagine (though I don't have real knowledge on this
> personally) situations in a commercial setting where there is a legal
> liability to perform administration in a particular way. For instance at
> a hospital, it could be the case that only certain certified people
> should be able to administer rights in order to reduce the risk of
> errors. Under such ligal liability to follow certain procedures, it
> would be useful to be able to specify the policy in the administrative
> rights in XACML, and not to rely on human communication only.
>
> It is of course the case, as Frank pointed out in the discussion about
> restricting delegation depth, that prevention of delegation cannot be
> enforced in the strict sense. If I have a right to do X, a computer will
> not be able to enforce a ban to grant X to someone else, since I can
> simply do it myself on behalf of the other person. (The SPKI
> specification, among others, discuss this.) However, I still believe
> that specifying such a policy has value, in the sense that it
> communicates to people what the policy is and keeps the rights cleaner
> by preventing the explicit creation of undesirable rights.
>
> For those who have studied my implementation in detail, I can say that
> the model in it is more general than I have use cases for. The
> implemented model permits the specification of constraints of arbitrary
> depth, which likely is not very useful in practice. In our application
> we use constraints of depth one only, which cover the use cases above.
>
> I would suggest that the model for administrative rights for the
> upcoming XACML would include at least one level of constraint on the
> possible subjects of delegation rights. In case of long chains, all the
> issuers in the whole chain would have to meet the constraints. In my
> implementation this is equivalent to a constraint of length one with the
> "MaySkipOrRepeat" attribute set to true.
>
> Best regards, Erik
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in 
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

-- 
Frank Siebenlist franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory