OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Policy Labelling (was Re: Delegation and on-permit-apply-second)

Hi Erik,

On 20/12/2012 3:43 AM, Erik Rissanen wrote:
Hi Steven,

On 2012-12-19 06:29, Steven Legg wrote:

Hi Erik,

On 19/12/2012 2:08 AM, Erik Rissanen wrote:
Thanks Steven,

Ok, so the difference which I had not noticed in your proposal is that you advocate that any admin request
should always start from the top,

You need to read more carefully. That was the fifth time I'd said it.

> while I say that the reduction graph is formed within the nested policy
set like before, except of course that we use labeling rather than categories to differentiate between admin
and access policies.

By doing nested reduction graphs, there are two benefits as I see it:

- You don't need hybrids.
- Someone can neatly package a complete policy set with nested admin policies in full, without having to be
concerned about how this might interfere with any other "top level" policies.

Could you refresh my memory again as to why you want to start reduction from the top? What are the benefits?

I previously said this on the topic:

    ... "working out where
    to put an administrative policy under the current scheme is a burden policy
    writers can do without. Take the simple case where User A delegates all
    rights to User D. This is a very simple administrative policy that basically
    says "if the delegate is User D, then Permit". The issue is where to put it.
    User A needs to place it (by copy or by reference) in every policy set where
    User D will potentially be creating access policies. Furthermore, as new
    policy sets are created that User D might put policies into, User A will have
    to put the administrative policy in there as well. Conversely, if User A
    isn't thorough or proactive in placing the administrative policy, then User D
    will be limited in the rights he or she can actually exercise. Compounding
    the difficulties is the fact that in the general case, because of
    multi-valued attributes and augmentation of the delegate category by
    a context handler, practially any untrusted policy can be authorized by any
    administrative policy. It all depends on the request context. It is only
    by making assumptions about certain attributes being single-valued or by
    knowing about correlations between the attributes of an access subject that
    we can begin to predict which untrusted policies will be authorized by
    which administrative policies in the absence of any specific request context.
    These are things that users shouldn't have to be concerned with when creating
    administrative policies."

In the current scheme an administrative policy can only authorize an untrusted
policy that is a sibling or a sibling of an ancestor. This is a severe limitation
when the scope of an administrative policy is wider than any one of the untrusted
policies that it authorizes.

It is correct that the admin policy has to be a sibling in the current scheme, and my proposed labeling
scheme. I don't see this as a major issue, rather I find it nice, because it means that this allows
recursive nesting of policies, which will not interfere with each other.

That is still possible with HybridPolicySet and evaluation from the top. The only
difference between the original access request and any administrative requests
subsequently spawned from it because of untrusted policies is that the administrative
requests will have added categories for delegate and delegation-info. If the targets
of the HybridPolicySet and its ancestor HybridPolicySets don't reference these
categories (and there is no good reason for them to do so), then a PDP evaluating
an administrative request will find its way back to the same HybridPolicySet where
the untrusted policy was encountered. If the policy set hierarchy is constructed
such that policy sets don't interfere with each other with respect to access requests,
then they won't interfere with each other with respect to the corresponding
administrative requests.

Mostly I find that I want to put the administrative policies higher up in the policy
set hierarchy, because they have a wider scope.

I don't understand your second concern in the text you quoted above. It is true that XACML policies are
written with a set of possible request contexts in mind. An admin policy can use any attributes it desires
to constrain its applicability in any way, so it is quite clear which requests it will authorize for which
delegates. It is true that the support relation between an access policy and an admin policy is resolved at
runtime, so the links are not static. A policy may support another or not, depending on the
situation/context. However, this is a feature, not a bug, since it allows an access policy author to
"consolidate authority", that is he can write an access policy which is in itself greater in scope than any
individual admin policy which authorizes him. Depending on the situation, the access policy would be
supported by different admin policies.

That feature is not something I'm proposing changing. The limitation that
authorizing administrative policies have to be a sibling or descendant of
a sibling is just not in harmony with it. If a writer of an untrusted access
policy doesn't know for certain which administrative policy or policies will
authorize it, how can they be sure they have put it in a place that will
allow it to be authorized ? The writers of administrative policies have the
similar problem of not being sure they have put the administrative policy in
the places it needs to be to authorize the access policies yet to come.
Evaluating administrative requests from the top removes sibling adjacency as
a concern and the feature operates unfettered.

I also said this:

    [ In the current scheme ] "the effect of a nested AdminPolicy depends on
    where evaluation of the administrative request begins. Suppose that the nested
    AdminPolicy evaluates to Deny. If the evaluation of the administrative request
    started inside the AdminPolicySet, then the AdminPolicy has no effect because
    it doesn't add an arc to the reduction graph. If the evaluation of the administrative
    request started outside the AdminPolicySet, then the Deny result from the AdminPolicy
    is combined with the results from its siblings according to the combining algorithm
    of the AdminPolicySet. If that combining algorithm is deny-overrides, then the
    Deny result overrides any Permit results from the siblings. That sort of
    variability will make delegation hard for users to understand."

Evaluating administrative requests from the top means that the result of an
administrative policy is always combined with the results of its siblings
according to the combining algorithm of the policy set in which it is found
- with no exceptions.

Yes, that is true, but I would not expect anyone to use delegated admin policies inside an admin policy set.
(In fact, we could forbid that explicitly.) Also, I am not sure it's a lot easier to grasp the big picture
in case of nested untrusted admin policies even if the evaluation jumps up to the top level for each
untrusted admin policy. It's going to melt most people's brain anyway. ;-)

In the current scheme, the reduction of an untrusted policy considers each of
the sibling administrative policies by evaluating the administrative request
against them. The effect of the reduction graph is to combine the results of
those evaluations in a way that is similar to, though not exactly, the
permit-overrides combining algorithm. This is the only predictable way to
combine the results of administrative policies, whether I like it or not, and
I don't. I particularly want to use deny-overrides. If I put the administrative
policies inside an administrative policy set with the combining algorithm I
want, then that's not reliable, for the reasons above. The practice might as
well be forbidden if it can't be trusted, but either way, policy writers are
condemned to only combine the results of administrative policies according to
something like permit-overrides. Evaluating administrative policies from the
top every time means that policy writers have the flexibility to use whatever
combining algorithm they want, knowing that it will always work as specified.

And I said this:

    [ In the current scheme ] "evaluation of an administrative request always starts
    with the pair-wise consideration of siblings of the policy being reduced. It is
    a process that is different from the normal processing of a combining algorithm
    and, in fact, completely disregards the combining algorithm of the policy set
    that contains the access policy and its sibling administrative policies. Starting
    the evaluation of the administrative request at the top (just like an access
    request) would be simpler to manage and easier for users to get their heads

When I read this, I am not sure, but do you imply that there is no reduction graph construction at the top

Correct. The administrative request is evaluated according to section 7.17 of the
core, subject to the additional requirement that any access policy or access
policy set is automatically NotApplicable.

> BTW, what does the reduction graph look like in your proposal?

There isn't one.


> Which policies participate in it? How
is it built?

Best regards,


Best regards,

On 2012-12-18 07:17, Steven Legg wrote:

Hi Erik,

On 18/12/2012 2:32 AM, Erik Rissanen wrote:
On 2012-12-14 04:28, Steven Legg wrote:
On 13/12/2012 11:36 PM, Erik Rissanen wrote:
> So why do you allow for the hybrid?

To overlay the administrative and access policy set hierarchies. Some
folks have expressed a dislike for a complete separation.

I don't see that you need hybrids even if the admin hierarchy is overlaid. Can you give an example?

Suppose I want to write a bunch of admin policies that all relate to
a resource with a resource-id of "printer", so I factor out the
resource-id test and wrap the admin policies in an admin policy set
like so:

AdminPolicySet {
    PolicySetId: PS1
    Target: resource-id="printer"
    AdminPolicy {
        PolicyId: P1
    AdminPolicy {
        PolicyId: P2

Along comes the delegate, who creates some access policies that relate
to the resource with a resource-id of "printer". If the delegate factors
out the resource-id test and wraps the access policies in an access
policy set it looks like this:

PolicySet {
    PolicySetId: PS2
    Target: resource-id="printer"
    Policy {
        PolicyId: P3
    Policy {
        PolicyId: P4

This represents a complete separation of access and administrative policy.

In my proposal I don't allow AdminPolicy in a PolicySet, or Policy in an
AdminPolicySet, not because it is harmful, but because it is pointless.
Recalling that I am proposing evaluating administrative requests from
the top, an AdminPolicy in a PolicySet will never get evaluated because
the PolicySet is not applicable to an administrative request. Likewise,
a Policy in an AdminPolicySet will never get evaluated because the
AdminPolicySet is not applicable to an access request. In order to take
advantage of the common targets for the two policy sets above and merge
them into one I need a policy set that is applicable for both access
requests and administrative requests. That thing is the HybridPolicySet:

HybridPolicySet {
    PolicySetId: PS3
    Target: resource-id="printer"
    AdminPolicy {
        PolicyId: P1
    AdminPolicy {
        PolicyId: P2
    Policy {
        PolicyId: P3
    Policy {
        PolicyId: P4


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]