[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] New Issue#61: WS-XACML: How are the contents ofXACMLAuthzAssertions represented in the base XACML Policies
Hi Rich, Thanks for the feedback. Rich Levinson wrote On 12/15/06 14:05,: > > 61. WS-XACML: How are the contents of XACMLAuthzAssertions > represented in the base XACML Policies > > (Submitted by: *Rich*) > > Reading the spec, it appeared to me that an important piece of info > might be missing (or either I missed it or it intentionally is not > there, but that's the point of this issue). As an entry point to this > potential issue, consider statement in Section 4, p 23, para 2, that says > > "For security reasons, many entities are unwilling to publish their > complete authorization and access control policies. Therefore, an > XACMLAuthzAssertion </xacml/AuthzAssertion> MAY not be a complete > specification of an entity's authorization and access control policy. A > service MAY choose to publish all or a subset of the XACMLauthorization > or access control policy it will apply with respect to particular policy > targets." > > How are the subsets of the core xacml policies identified as to what > should and should not be made public? It is completely site-dependent as to what is published and what isn't. Particular trade/service communities (on-line bookstores, etc.) might standardize policy vocabularies to be used in stating XACMLAuthzAssertions or XACMLPrivacyAssertions for their sites. As an example, Sun certainly isn't going to publish its enterprise policy. But consider some fictitious software download site maintained by Sun; for this site, Sun might publish the following: <wsp:exactlyOne> <XACMLAuthzAssertion> <Requirements> Has signed license agreement </Requirements> <Capabilities> Provide trial version </Capabilities> </XACMLAuthzAssertion> <XACMLAuthzAssertion> <Requirements> Has signed license agreement Has paid for Level 3 support </Requirements> <Capabilities> Provide current production version </Capabilities> </XACMLAuthzAssertion> </wsp:exactlyOne> Would it help to include an example like this? Also, it would be of interest to > see some example policies that contained entities that end up in the > Capabilities and Requirements sections of the Assertions. I am > particularly interested in how privacy requirements might be set up in > the original policy since these are generally not part of the > authorization process, per se', but possibly could be considered to be > modelled as XACML Obligations. Any guidance on this in reply to issue or > changes to doc would be much appreciated. Consider a service policy saying the service will provide a copy of its current price list if the client agrees to retain it no longer than 30 days and not to disclose it to 3rd parties. The service also says it will not disclose the client's personal information to 3rd parties. <XACMLPrivacyAssertion> <Requirements> max-data-retention-days <= 30 data-disclosure == "ours" } </Requirements> <Capabilities> resource-id="current-price-list" //p3p10full/POLICIES/POLICY/RECIPIENT/* subset-of { "ours" } </Capabilities> </XACMLPrivacyAssertion> A client policy might say: <XACMLPrivacyAssertion> <Requirements> resource-id="current-price-list" //p3p10full/POLICIES/POLICY/RECIPIENT/* subset-of { "ours" } </Requirements> <Capabilities> max-data-retention-days <= 30 data-disclosure == "ours" } </Capabilities> </XACMLPrivacyAssertion> There is another example using XACML's XML syntax in Section 6 of WD 8. Is this what you are looking for? If you could describe ways in which the examples in Section 6 are inadequate, I could provide more examples or better examples. > > Status: *OPEN* > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]