OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?

David--thanks. So at first glance it didn't seem like there was any resource metadata (attribute) binding in the scenario you describe. But on second thought I guess you could say that the database with the recordID->AssignedPhysician link was that binding (and the AssignedPhysician data is the resource attribute.) Interesting. 

It does seem like the binding mechanism and therefore the metadata-finding method may vary widely by resource data type (structured DB, document, message, etc.) as well as other things. I was (am) hoping to find enough commonality in these approaches to support generalization or even guidance/recommendations. 

I should also say that the present question came up as a result of trying to think through how one might implement the idea of default-deny-if-no-policy-reference we discussed last meeting. Also, both these questions are from the perspective of how ABAC/PBAC might be applied in a multi-organizational (federated) environment where standard approaches are important for interoperability.  



On Wed, Nov 11, 2015 at 4:09 PM, David Brossard <david.brossard@axiomatics.com> wrote:
Hi Martin,

In Axiomatics deployments, attributes (metadata) largely come from databases. The PDP uses PIPs to retrieve those attributes via SQL calls. For instance:

  • Policy: doctors can view a medical record if the record's assigned physician == the requestor id.
  • Attributes used
    • requestor id - provided by the PEP
    • medical record id - provided by the PEP
    • action id - provided by the PEP
    • medical record assigned physician - retrieved from the record database using SELECT assignedPhysician FROM records WHERE recordId = ?
That is one of the most common ways.

Another option - specific to Windows Server 2012 - is to have the attribute metadata directly assigned to the documents (files / folders) as  classification information. MS Windows allows for that. There's a video here that explains how that works.

Hope this helps,

On Wed, Nov 11, 2015 at 9:52 PM, Martin Smith <bfc.mclean@gmail.com> wrote:
My question is: in current practice today with current deployed products, how are resource metadata bound to resources (documents, etc.)  Interested in access-control related resource attributes of course (vs search, etc metadata.)  Also, how do PDP's (or PIP's) find these attributes? 



Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102

David Brossard
VP of Customer Relations
+46(0)760 25 85 75
+1 502 922 6538
Axiomatics AB

Västmannagatan 4
S-111 24 Stockholm, Sweden
Axiomatics for developers: http://developers.axiomatics.com
Connect with us on LinkedIn | Twitter | Google + | Facebook | YouTube

Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 506-0159
703 389-3224 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]