[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Break the Glass policies
David, all -- In looking at access policies based on formal policy authorities (like laws and frederal regulation) we've seen a number of cases where the only practical source of a person or environmental "attribute" is assertion by the requestor. The "BTG" attribute is an assertion that an emergency situation exists. We also have come to the same conclusion that you have (apparently), namely that ex-post enforcement (via audit of access logs) is a sufficient basis for enforcement for many kinds of policies. Another general class of self-assertion situations is where a law or policy says "you can share information 'for the purpose of' something." Example: passpost clerks can view personal passport records 'for the purpose of' varifying information in the course of processing a passport renewal application, (but not for other purposes, like browsing the information of celebrities.) In many of these scenarios one might imagine a data source for the attribute that did not depend on self-assertion, but those data may not be available at least in the short run. I have not considered implementation of this enforcement strategy (self-assertion plus log audit) to be a standards issue, so much as a tooling issue (does a PDP product support pop-up requests for self-asserted information?) But if making a BTG profile stimulates vendors to add capability for collecting self-assertion data, I'm for it! Martin Smith US Department of Homeland Security -----Original Message----- From: xacml-return-1875-martin.smith=dhs.gov@lists.oasis-open.org [mailto:xacml-return-1875-martin.smith=dhs.gov@lists.oasis-open.org] On Behalf Of Ludwig Seitz Sent: Monday, December 14, 2009 2:52 AM To: David Chadwick Cc: xacml Subject: Re: [xacml] Break the Glass policies Hi David, you might want to look at this: http://portal.acm.org/citation.cfm?id=1263871 I think it is very similar to what you want to achieve. Regards, Ludwig -- Ludwig Seitz, PhD | Axiomatics AB Training & Development | Electrum 223 Phone: +46 (0)760 44 22 91 | S-164 40 Kista, Sweden Mail: ludwig@axiomatics.com |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]