[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue#5: Policies included in a decision request
On 18 January 2007 we decided: Anne proposed semantics for policies that are provided by a PEP as part of an authorization decision request. The version in http://lists.oasis-open.org/archives/xacml/200701/msg00013.html was generally approved, with three changes: 1) these policies will be part of the SAML XACMLAuthzDecisionQuery, not part of the core Request Context, 2) Change "MAY" to "MUST" in: "the policies MAY be used by the PDP for evaluation of the current authorization decision request only", 3) make it clear that the combining algorithm by which these policies are combined with other applicable policies is the one in the "top level/root policy" used by the PDP, and not some new combining algorithm. Anne will redraft this for inclusion in the next release of the 2.1 version of the XACML SAML Profile. I would like to re-open 3) because I believe there are at least two use-cases, and they require different approaches. USE CASES 1) In the administrative policy use case, including policies to be used for evaluating this request alone is a way to allow delegation. In this use case, policies included in the XACMLAuthzDecisionQuery should be combined using the PDP's top-level combining algorithm with other policies that would normally be applied to this request. 2) Another use case is a PEP that knows the policy to be applied to the request; an example is where the PEP "owns" the resource and its associated policy. In this use case, only the submitted policy (of which there must be exactly one) should be used in evaluating this request. Note that the PEP must always be trusted - a corrupt PEP could simply by-pass the PDP altogether, so that is not an issue here. PROPOSAL I propose that the XACMLAuthzDecisionQueryType include a new Boolean XML attribute named "CombinePolicies", with default value "true". If the attribute is "true", then included Policy and PolicySet elements are to be combined with others using the PDP's default top-level combining algorithm. If the attribute is "false", only the included Policy or PolicySet element is to be used in evaluating the authorization request. In this case, it is an error if there is not exactly one Policy or PolicySet (which may contain nested policies) included in the authorization decision request. REFERENCED POLICIES We should also decide how policies referenced by policies included in the XACMLAuthzDecisionQueryType instance are handled. This is similar to the situation we discussed on 1 February regarding policy references in a WS-XACML Requirements policy (Issue#55). For that case, we agreed tentatively to add a new element in which any referenced policies must be included. I propose that we use the same solution here. Regards, Anne -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]