[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] New Issue#61: WS-XACML: How are the contents of XACMLAuthzAssertionsrepresented in the base XACML Policies
I just want to mention that I think the profile is a great document
and a really valuable example of how XACML can be applied.
I quickly looked over your suggestion and I think I must not have
expressed my point clearly.
What I am thinking is that these XACMLAssertions, both the
XACMLAuthzAssertion and the XACMLPrivacyAssertions are
elements that can be included in a ws:Policy elements and used
in wsdl and other policy containers to express the requirements
to clients as to what they need to do to successfully access the
web service. I think we probably agree on that, and, if so, then
I can get to what the issue is that I am considering.
I would expect (correct me if I am wrong, but this is what I am
thinking) that it is perfectly reasonable, if not likely, that these
XACMLAssertions will be part of an overall xacml architecture
in various enterprise environments. As such, it is likely that
there are one or mores PDP out there in the enterprise that are the
home of a collection of xacml policies, as well as being the decision
points handling PEP requests.
It is also my expectation that this PDP (or at least the people who
adminster the PDP) will likely consider the Web Services to be
Resources that its policies in general will cover.
So, I put myself in the position of one of these PDP admins and
ask myself, how do I create a XACML Policy that will contain all
the info I want to govern the access to this web service Resource
(as suggested by the para 2 in section 4, etc.). What I am thinking
is that only a subset of this info should go to the XACMLAssertions,
which will end up in the wsdl, but the rest of the info I want to keep
private and just use at runtime to validate and authorize requests and
produce Responses etc.
So, the question is: how do I flag the subset of XACML Policy info
that is targeted for the XACMLAssertions - I guess I am also assuming
that the WebService Manager, in whatever form it will take, will in
general make a XACMLRequest to the PDP to get the Policy or
Policies governing this Resource. That Manager would then need to
be able to select from the XACML Policy (as opposed to the WS Policy,
which, on the other hand, the Manager is populating for setup etc.) the
<element ref="xacml:Policy" minOccurs="0" maxOccurs="1" />
<element ref="xacml:PolicySet" minOccurs="0" maxOccurs="1" />
<element ref="xacml:Apply" minOccurs="0" maxOccurs="unbounded" />
<element ref="xacml-context:Request" minOccurs="0" maxOccurs="1" />
that can be moved from the xacml:Policy data to the Capabilities and Resources
elements of the XACML*Assertion.
So, I am wondering what the original xacml:Policy, which I assume can contain
the source elements for these XACML*Assertions, will look like and how one
would go about selecting the appropriate info therefrom.
Bottom line is that the examples you suggested below, appear to me to be the
final step of this process: i.e. some entity has put these ws:Policy blocks as
part of the wsdl or other that the client encounters before making the actual
access. To use your first example:
Has signed license agreement
I would expect that somewhere in the PDP policy store that a xacml:Attribute
might exist with an AttributeValue: "Has signed license agreement", and that
when one queries the PDP for this xacml:Policy that they are able to obtain this
AttributeValue and put it in the Requirements element of the ws:Policy.
OK, so now hopefully that explains how I am looking at this and maybe there
is some complete aspect to this that I am missing, that will help explain it all.
Anne Anderson - Sun Microsystems wrote: