RE: [xacml] The Indeterminate flavors question

["Tyson, Paul H" <PTyson@bellhelicopter.textron.com>]

Thanks, Erik, for the very clear explanation and examples.

The flexibility of XACML makes it possible to do very strange things, and even without doing anything strange even the simplest policy set can quickly become complicated.  The policy writer already has to think hard about policy structure, combining-algorithms, attribute tests, and the MustBePresent attribute.  He should not have to worry about getting different results depending on whether he happens to put an attribute test in a Target or in a Condition.

But it doesn't appear the TC is inclined to address this problem right now.  Erik's proposal (wd-19 section 7.13, Table 7) seems to be a reasonable approach that will not cause too many surprises.

In the longer term the TC should work out a comprehensive logical framework that explicitly either confirms or denies the "policy equivalence" (or "linearity" as Erik called it) between a policy with a non-empty target and the same policy with an empty target and the attribute tests distributed to the descendant conditions (with appropriate syntactic modifications).  Hal has said the TC has avoided previous attempts to define "policy equivalence", but I assume that was in general, not for this specific issue.

However, I don't think we can avoid the question of whether an indeterminate target should override a "permit-unless-deny" or "deny-unless-permit" combining algorithm on the parent of the indeterminate target.  Erik's example does not include the combining-algorithm of the top policy.  A policy writer who uses one of these algorithms never wants to see "Indeterminate" or "NotApplicable".  Either we must amend wd-19 Table 7 to honor these algorithms, or revise the definition of these algorithms to account for indeterminate targets.  (Note that if we adopted the notion of policy equivalence and evaluated all descendant rules as "Indeterminate", this would not be a problem.)

Regards,
--Paul

> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Monday, April 25, 2011 06:55
> To: xacml
> Subject: [xacml] The Indeterminate flavors question
> 
> All,
> 
> Here are some examples which illustrate the points I was trying to make
> during the TC meeting last week.
> 
> The first example intends to show why it is necessary to evaluate the
> children in order to determine the flavor of Indeterminate from a
> target.
> 
> Consider the following policy:
> 
> Policy:
>     target: resource-id = printer
>             subject-id = alice
>     Rule[Effect=Permit]
> 
> Assume we have the following request:
> 
> Subject:
>    subject-id = alice
> Resource:
>    resource-id = printer
> 
> For this request this policy would say Permit.
> 
> Now consider this policy:
> 
> Policy:
>     target: resource-id = bank-account
>             subject-risk-level = HIGH
>     Rule[Effect=Deny]
> 
> This policy would say NotApplicable for the same request as above.
> 
> Now, assume that we collect the two policies in a policy set:
> 
> PolicySet
>    Target: subject-location[MustBePresent='true'] = office
>    Policy:
>       target: resource-id = printer
>               subject-id = alice
>       Rule[Effect=Permit]
>    Policy:
>       target: resource-id = bank-account
>               subject-risk-level = HIGH
>       Rule[Effect=Deny]
> 
> Now, let's evaluate this policy against the example request from above.
> 
> The target of the policy set will be Indeterminate because the
> subject-location attribute is missing. Now, which flavor of
> Indeterminate should it be? It should be Indeterminate{P} since only a
> permit could have been produced if the target would not have failed.
> And
> we know that only if we evaluate the children. Note that simply
> scanning
> the policy tree for effects would incorrectly conclude that the policy
> might have evaluated to a Deny for this request.
> 
> 
> Now, there was another issue which was discussed at the meeting, namely
> that Paul had an idea that instead of having to actually evaluate all
> the children, one could think of the policy is being transformed. I
> need
> to bring up another example to illustrate that. (I did not want to mix
> two issues in the same example policy.)
> 
> Consider this policy set:
> 
> PolicySet
>    Target: subject-location[MustBePresent='true'] = office
>    Policy[CombAlg='deny-unless-permit']:
>       Target[empty]
>       Rule[Effect=Permit]
>         target: resource-id = printer
>                 subject-id = alice
>       Rule[Effect=Deny]
>          target: resource-id = bank-account
>                  subject-risk-level = HIGH
> 
> 
> Again, let's evaluate the policy set with the example request from
> above. The policy set target is indeterminate, so the policy set is
> Indeterminate as a whole. If we would evaluate the children to
> determine
> the flavor of Indeterminate, we would get Indeterminate{P}, like above
> because the rule about bank accounts does not apply.
> 
> Now, Paul thought one could rewrite this policy set by adding the
> expression from the policy set target in each leaf rule as a condition.
> However, I pointed out that it won't give the same result because of
> the
> combining algorithms. In this case, the rewritten policy would be:
> 
> PolicySet
>    Target[empty]
>    Policy[CombAlg='deny-unless-permit']:
>       Target[empty]
>       Rule[Effect=Permit]
>         target: resource-id = printer
>                 subject-id = alice
>         condition: subject-location[MustBePresent='true'] = office
>       Rule[Effect=Deny]
>         target: resource-id = bank-account
>                  subject-risk-level = HIGH
>         condition: subject-location[MustBePresent='true'] = office
> 
> Íf we evaluate this policy set against the example request, we get
> Indeterminate in both rules because of the missing attribute in their
> conditions. However, the 'deny-unless-permit' algorithm is going to
> change that to a Deny for the policy which contains the rules, so
> overall we get Deny, which is different from the policy set before we
> transformed.
> 
> The question Paul brought up during the meeting was whether this was
> intended. Clearly that is what the spec says happens since the
> evaluation tables allow a combining algorithm to make a decision among
> several conflicting decisions. I guess what Paul is thinking about is
> that there should be some kind of "linearity" requirement, by which
> certain properties of the policy are immutable under certain types of
> transformations in the policy.
> 
> However, there are currently no general requirements on the algorithms
> which would guarantee that certain decisions are not overridden. I
> don't
> think there should be either.
> 
> Best regards,
> Erik
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php