[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Default behavior for unrecognized resource attributes?
I am not sure I understand your proposal at all. In XACML there is no way to make any decision except by evaluating policy as defined in the specification. There is no such thing as an unknown tag (I think you mean attribute value not referenced by any policy).
In a typical environment there will be many reasons why Resources (and Subjects and Actions and Environment) have attributes which are not used by any policy. They may be irrelevant to access control or they may be used in a different policy domain and not this one. In practice is not possible to keep perfect synchronization between the attributes provided for a decision and the attributes referenced by applicable policy. Maybe the value is referenced when a different user requests access, or at a different time of day, etc.
In OpenAz we spent a lot of time on what to do in the opposite case, i.e. when you need an attribute value you don’t have. We came up with two solutions, mappers and the AMF – both imperfect but useful. But we did not even consider your case as a problem. IMO having data you don’t need is not a problem. (Unless it causes latency problems.)
Consider you case. First, XACML can’t say “secret or higher”. This usecase has been discussed many times, but the philosophy of XACML is that there is no semantic model (that the policy knows about) so you have to say “secret or top secret” or something of that sort.
If you say it must be secret then if it is any unknown value it will evaluate to false. If you say it cannot be secret, then all the “unknown” values will evaluate to true. If you want you can enumerate every possible value or you can only consider the ones that give access.
Philosophically XACML intends to make use of information which is already present in the organization somewhere. I realize that in practice organizations are only starting to make use of Resource attributes, but this is a conversion problem, not a steady state one. IMO one reason older AC models have failed is that they require somebody (security admin) to keep up to date information which he or she neither uses or has authoritative knowledge of. I think the right way to do it is as much as possible to use information that the organization is already depending on. Instead of creating artificial things like Roles, we can access the attributes like organization and job title to depend directly on the information which would be used to determine the Users’s Role. This principle is so well established that in Common Law it is recognized as an exception to the hearsay rule. While you generally cannot prove anything with a document alone, the court will consider “Business Records” which are actually depended on by the organization to be valid evidence.
Returning to your proposal, are you saying that a value is unknown if a) no reference to the attribute or b) no reference to that particular value? Do you mean c) no reference in the currently applicable policies or d) no reference in any policy even if those policies may never be applicable or e) no reference in any active policy held by any PDP?