OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] New Issue#61: WS-XACML: How are the contents ofXACMLAuthzAssertions represented in the base XACML Policies


Hi Rich,

Thanks for the feedback.

Rich Levinson wrote On 12/15/06 14:05,:
> 
>         61. WS-XACML: How are the contents of XACMLAuthzAssertions
>         represented in the base XACML Policies
> 
> (Submitted by: *Rich*)
> 
> Reading the spec, it appeared to me that an important piece of info 
> might be missing (or either I missed it or it intentionally is not 
> there, but that's the point of this issue). As an entry point to this 
> potential issue, consider statement in Section 4, p 23, para 2, that says
> 
> "For security reasons, many entities are unwilling to publish their 
> complete authorization and access control policies. Therefore, an 
> XACMLAuthzAssertion </xacml/AuthzAssertion> MAY not be a complete 
> specification of an entity's authorization and access control policy. A 
> service MAY choose to publish all or a subset of the XACMLauthorization 
> or access control policy it will apply with respect to particular policy 
> targets."
> 
> How are the subsets of the core xacml policies identified as to what 
> should and should not be made public?


It is completely site-dependent as to what is published and what isn't. 
Particular trade/service communities (on-line bookstores, etc.) might 
standardize policy vocabularies to be used in stating 
XACMLAuthzAssertions or XACMLPrivacyAssertions for their sites.

As an example, Sun certainly isn't going to publish its enterprise 
policy.  But consider some fictitious software download site maintained 
by Sun; for this site, Sun might publish the following:

<wsp:exactlyOne>
   <XACMLAuthzAssertion>
     <Requirements>
        Has signed license agreement
     </Requirements>
     <Capabilities>
        Provide trial version
     </Capabilities>
   </XACMLAuthzAssertion>
   <XACMLAuthzAssertion>
     <Requirements>
       Has signed license agreement
       Has paid for Level 3 support
     </Requirements>
     <Capabilities>
       Provide current production version
     </Capabilities>
   </XACMLAuthzAssertion>
</wsp:exactlyOne>

Would it help to include an example like this?

Also, it would be of interest to
> see some example policies that contained entities that end up in the 
> Capabilities and Requirements sections of the Assertions. I am 
> particularly interested in how privacy requirements might be set up in 
> the original policy since these are generally not part of the 
> authorization process, per se', but possibly could be considered to be 
> modelled as XACML Obligations. Any guidance on this in reply to issue or 
> changes to doc would be much appreciated.

Consider a service policy saying the service will provide a copy of its 
current price list if the client agrees to retain it no longer than 30 
days and not to disclose it to 3rd parties.  The service also says it 
will not disclose the client's personal information to 3rd parties.

   <XACMLPrivacyAssertion>
     <Requirements>
        max-data-retention-days <= 30
        data-disclosure == "ours" }
     </Requirements>
     <Capabilities>
        resource-id="current-price-list"
        //p3p10full/POLICIES/POLICY/RECIPIENT/* subset-of { "ours" }
     </Capabilities>
   </XACMLPrivacyAssertion>

A client policy might say:

   <XACMLPrivacyAssertion>
     <Requirements>
        resource-id="current-price-list"
        //p3p10full/POLICIES/POLICY/RECIPIENT/* subset-of { "ours" }
     </Requirements>
     <Capabilities>
        max-data-retention-days <= 30
        data-disclosure == "ours" }
     </Capabilities>
   </XACMLPrivacyAssertion>

There is another example using XACML's XML syntax in Section 6 of WD 8.

Is this what you are looking for?  If you could describe ways in which 
the examples in Section 6 are inadequate, I could provide more examples 
or better examples.

> 
> Status: *OPEN*
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]