Thanks so much, Hal, for the response!
From: Hal Lockhart [mailto:firstname.lastname@example.org]
Sent: Thursday, April 02, 2015 12:43 PM
To: Hayes, Crystal L; Hill, Richard C; email@example.com
Cc: Smith, Gregory L
Subject: RE: [xacml] RE: Question re: XACML PEP
Yes it does.
Technically it is a PIP (Policy Information Point) which fetches the attributes. It may be located in the same process as the PEP, the PDP or somewhere else.
Non-the-less, a privileged process which can read all the resources is required. Cases of this kind often occur as the access control becomes more fine grained. It may be necessary to access the resource to determine
if an access request should be allowed. A good example is a proxy/interceptor architecture such as used by the GeoXACML implementation. It sits in front of a SQL database and may rewrite SQL queries to fetch attributes not requested by the application, but
needed for policy evaluation.
Does the PEP have to open the target document in order to extract the metadata?
From: Hill, Richard C
Sent: Friday, March 13, 2015 3:12 PM
To: Hayes, Crystal L; firstname.lastname@example.org
Cc: Smith, Gregory L
Subject: RE: Question re: XACML PEP
In that demonstration the Boeing CIPHER tool searched and classified the document based on the information it contained (e.g. proprietary markings) and store an XACML attribute in the properties of the document
(e.g. “urn:oasis:names:tc:xacml:3.0:ipc:resource:proprietary” with a value of “true”). A PEP would need to extract that information from the document and send it in an XACML request to a PDP to render a decision based on an XACML policy. I know Nextlabs provides
a PEP that can do this. Other XACML product companies may also provide PEPs with this capability too.
Can any of you please tell me how, in our 2012 RSA demonstration of the XACML IP Profile, how the Policy Enforcement Point (PEP) was able to read resource metadata, to make an access control decision? Was the resource file actually being
opened in order to read the metadata? How is the metadata visible to the PEP?
Thanks so much!
Crystal Hayes, CCEP
Boeing Intellectual Property Management