OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue#5: Policies included in a decision request

On 18 January 2007 we decided:

       Anne proposed semantics for policies that are provided by a PEP
       as part of an authorization decision request.  The version in
       http://lists.oasis-open.org/archives/xacml/200701/msg00013.html
       was generally approved, with three changes: 1) these policies
       will be part of the SAML XACMLAuthzDecisionQuery, not part of
       the core Request Context, 2) Change "MAY" to "MUST" in: "the
       policies MAY be used by the PDP for evaluation of the current
       authorization decision request only", 3) make it clear that the
       combining algorithm by which these policies are combined with
       other applicable policies is the one in the "top level/root
       policy" used by the PDP, and not some new combining algorithm.
       Anne will redraft this for inclusion in the next release of the
       2.1 version of the XACML SAML Profile.

I would like to re-open 3) because I believe there are at least two 
use-cases, and they require different approaches.

USE CASES

1) In the administrative policy use case, including policies to be used 
for evaluating this request alone is a way to allow delegation.  In this 
use case, policies included in the XACMLAuthzDecisionQuery should be 
combined using the PDP's top-level combining algorithm with other 
policies that would normally be applied to this request.

2) Another use case is a PEP that knows the policy to be applied to the 
request; an example is where the PEP "owns" the resource and its 
associated policy.  In this use case, only the submitted policy (of 
which there must be exactly one) should be used in evaluating this 
request.  Note that the PEP must always be trusted - a corrupt PEP could 
simply by-pass the PDP altogether, so that is not an issue here.

PROPOSAL

I propose that the XACMLAuthzDecisionQueryType include a new Boolean XML 
attribute named "CombinePolicies", with default value "true".  If the 
attribute is "true", then included Policy and PolicySet elements are to 
be combined with others using the PDP's default top-level combining 
algorithm.  If the attribute is "false", only the included Policy or 
PolicySet element is to be used in evaluating the authorization request. 
  In this case, it is an error if there is not exactly one Policy or 
PolicySet (which may contain nested policies) included in the 
authorization decision request.

REFERENCED POLICIES

We should also decide how policies referenced by policies included in 
the XACMLAuthzDecisionQueryType instance are handled.  This is similar 
to the situation we discussed on 1 February regarding policy references 
in a WS-XACML Requirements policy (Issue#55).  For that case, we agreed 
tentatively to add a new element in which any referenced policies must 
be included.  I propose that we use the same solution here.

Regards,
Anne
-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]