[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Default behavior for unrecognized resource attributes?
Lack of a rule that references a resource attribute strongly suggests that the resource owner who attached that attribute expected a different rule set to be protecting the resource.
Martin S -- Sent from my iPhone
On Sep 24, 2015, at 12:01 PM, David Brossard <firstname.lastname@example.org> wrote:If an "unrecognized attribute" is an attribute not in use by a policy / rule in the policy set, then the attribute serves no purpose and will have no impact. This is true of any category of attributes. Therefore there is no need to cause the PDP to reply with a DENY.To the best of my knowledge the XACML 3.0 standard doesn't mention how a request with extra attributes should be handled. The standard doesn't delve into PIP behavior either.Cheers,David.On Thu, Sep 24, 2015 at 5:51 PM, Martin Smith <email@example.com> wrote:As a result of thinking about the DSD question, it occurred to me to wonder if there is anything in normative or non-normative XACML pubs that says that an unrecognized resource attribute must result in a DENY decision.Let's say that "unrecognized" means that there is no rule in the set being used by the PDP that references the attribute.It seems to me that this should be a requirement, as the purpose of resource attributes is to specify (via the applied rule set) what subject attributes are required for access to the resource. If there's no rule that references the resource attribute then there is a definite possibility that the subject does not have all the attributes intended to be required by whatever policy led to the inclusion of the unrecognized resource attribute in the protected resource's metadata.The same does not apply to unrecognized subject attributes, which can be ignored as they are simply "extra" from the perspective of the PDP (and are presumably provisioned for access to other resources not protected by the current PDP/PEP.)Martin--Martin F Smith, PrincipalBFC Consulting, LLCMcLean, Va 22102703 506-0159703 389-3224 mobile--David Brossard
VP of Customer Relations
+46(0)760 25 85 75