[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] BTG sequence diagram
Sure. Agree that the user does not need to know all their privileges. They should, however, be able to know what they are doing and the purpose of use for it and be able to assert such in a request. Based upon that, their privileges as well as the entire decision context can be determined (locally or via attribute assertion) including any actions occurring outside of the XACML/authz concern. So they make a request under treatment-->deny. They decide that the situation is significant enough to override and reassert under BTG-->If their privileges are adequate under this pou then the decision can be made--Allow. Regards, Mike Davis, CISSP Department of Veterans Affairs VHA Office of Health Information Security Architect 760-632-0294 -----Original Message----- From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk] Sent: Wednesday, April 27, 2011 8:06 AM To: xacml@lists.oasis-open.org Subject: Re: [xacml] BTG sequence diagram Hi Mike and Bill On 25/04/2011 17:34, Bill Parducci wrote: > > On Apr 25, 2011, at 8:39 AM, Davis, John M. wrote: > >> Because, in this case, the obligation approach does not align with >> the business need/policy. The simple fact that one gets a deny >> does not imply an obligation to automatically invoke a security >> bypass. you forget that one of the purposes of the BTG profile is to differentiate between a deny response and a BTG response, the latter being in between a grant and a deny. It is important that the PDP be able to give the BTG response to the user, as it is unreasonable to expect users to know what all their privileges are. It is the security officer/policy administrator who decides this and encodes it into the policy. The user finds out his privileges from the responses obtained from the PDP (which might change on an hourly or daily basis, according to the policy). I therefore broadly agree with Bill's comments regards David Since the PDP is not a state machine, the change of state >> must be external, hence, the deny allows the user to reassess the >> situation and apply either additional privilege to the request or >> change the game by changing the policy set. > > I disagree on both counts. I do not see how the "business needs" are > not met. I am not implying that the simple act of a Deny allows for > access, rather that the conditions by which this determination is > made is done within a single atomic action by the PDP. Subsequent > requests (aka BTG Manager requests) are handled on the PEP in line > with the terms of the Obligation that accompanied the original > decision. Nothing has changed from the perspective of the requestor > and as I mentioned in my previous note, the PEP is the best suited > entity for performing things such as exception logging, > notifications, etc. because only it can discriminate between the > request for BTG and the Action be effected upon the Resource. > > >> There is another aspect of BTG, in that the user is typically >> required to assert acknowledgement to a set of conditions, >> including an understanding that BTG is exceptional access and that >> they are asserting this intentionally. This gets messy, since the >> obligation may need to be passed across boundaries to an external >> requestor (you are now making a demand that the foreign system have >> an interface with the requestor). It seems simpler to me, to just >> have a deny and leave it up to the user to figure out what they >> need to do. > > This is no different than downstream systems needing to know the > choreography of a follow-on request for BTG access. I argue that it > is not any simpler because two coordinated requests must be made > instead of one. So, unless you are suggesting that BTG access can be > granted without a prior Deny, you now must spread state information > across PEPs (or maintain "Layer 7 stickiness") to ensure cohesion of > the access control transaction. Auditing in this scenario must also > coordinate across multiple boundaries. > > >> Furthermore, what would be totally acceptable in my mind, is for a >> technology, such as XACML, to attempt to mandate to the business >> side (regardless of what that is, healthcare, finance, >> manufacturing etc.) that they MUST include a business >> role/permission (such as BTG) in their information model in order >> to make XACML work. In fact, in healthcare (HL7 and ISO), there >> is currently no such standard role, instead the standard is for >> Purpose of Use defining a number of possible policy sets under >> different conditions, (e.g. normal treatment, administrator access, >> programmer access, research, marketing, etc.). OASIS has existing >> standards (XSPA SAML, XACML and WS-Trust) that have taken this >> approach and defined the environmental attribute in the assertion. > > Acceptable perhaps for a Profile, but definitely not as part the Core > specification IMO. > > b > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security School of Computing, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 ***************************************************************** --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]