[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] FW: some little questions
Jan, I was involved in the design of the administration profile. It is as Hal says that it is difficult to provide access control using XACML/CRUD if one wants to restrict the scope of administrative rights. It might be possible to implement XACML/CRUD, but I have found it to be difficult understand the safety of these kind of models. Academic research has shown that many (most?) protection models are undecidable. It would be an interesting research question to study whether it would be possible to design an XACML/CRUD model with certain limitations which makes it safe. And the main reason why reduction is an policy decision time process instead of a administration time process is that in general it is very difficult to implement comparison of two XACML policies to implement the restriction of policy scope feature. With an administration time process it would be necessary to compare two XACML policies to check whether one of them is a subset of another in their scope. At decision time it is a simple matter of simply evaluating both policies and checking that they both say permit, by which the end result is that administrative scope is restricted. In some cases the delegation model might be overkill. If you have a bunch of trusted administrators who should be allowed to do anything, it could be simpler to use XACML or any simple access control list to control access there. Another simple approach to separate administrative scope is to use entirely separate PDP instances which are used for different resources. Best regards, Erik Harold Lockhart wrote: > Perhaps I gave the wrong impression about protecting a policy repository. > > During the discussons which led to XACML 3.0 it was pointed out that > with XACML 2.0 (or any version really) you can protect operations such > as CRUD on a repository. However this approach would not let you > control the scope of capabilities of a person editing policies. > > I suppose we could have consider using XPATH functions to introspect > policy contents, but I think the result would have made it very hard > to understand the intent of administrative policies. > > For whatever reasons this approach was not seriously considered and > instead we chose the scheme you see in the Admin Profile. > > Influenced by the requirement to be allowed to provide policies along > with the request, we formulated Reduction as a policy decision time > process instead of an administration time process. Since the current > scheme allows access policies and their enabling administrative > polices to reference distinct attributes, there is no good way to > determine if an access policy is in force, except in the context of a > particular decision. > > Hal > > -----Original Message----- > *From:* Harold Lockhart > *Sent:* Thursday, July 16, 2009 10:20 AM > *To:* xacml@lists.oasis-open.org > *Subject:* [xacml] FW: some little questions > > > -----Original Message----- > *From:* Jan Herrmann [mailto:herrmanj@in.tum.de] > *Sent:* Thursday, July 16, 2009 8:43 AM > *To:* Harold Lockhart > *Subject:* some little questions > > Hello Hal, > > I modified the slides from the Boston meeting a little bit to > focus the things that might be of interest for your group. > > Now I am wondering how you usually do presentations during your > telecons. Are you using google docs or special tools like team viewer? > > Another question: In Boston you mentioned that a couple of years > ago the XACML TC discussed how to administrate XACML policies. You > mentioned that using XACML itself to do control access to a PAP > Web Service was rejected and instead the mechanism described in > the new delegation profile was preferred. Are their any internal > documents talking about the reasoning behind this decision? > > Talk to you later. > > greets > > jan > > > > ________________________________________ > > Jan Herrmann > Dipl.-Inform., Dipl.-Geogr. > > wissenschaftlicher Mitarbeiter > > Technische Universität München > Institut für Informatik > > Lehrstuhl für Angewandte Informatik / Kooperative Systeme > > Boltzmannstr. 3 > 85748 Garching > > Tel: +49 (0)89 289-18692 > Fax: +49 (0)89 289-18657 > www11.informatik.tu-muenchen.de > <outbind://8-00000000E95EB49608892D41BB762B4A0356A3FD844D2000/www11.informatik.tu-muenchen.de> > ________________________________________ > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]