Re: [xacml] Re: [xacml-users] 答复: [xacml-users] NIST releases a new publication on ABAC comparing XACML and NGAC

[Martin Smith <bfc.mclean@gmail.com>]

David--I can confirm this research has been going on for quite a while at NIST.  

I haven't thoroughly reviewed the draft (it seems hard reading to me for some reason...) but I was struck by one point in the discussion of "Before the fact audit" in Sec 5.5, which concludes that:

    "Rule-based mechanisms, such as XACML, although able to combine policies, cannot do either [per-user or per-object before-the-fact audit] efficiently [7]. This is because determining an authorization for a subject to perform an action on a resource  can only be determined by issuing a request. In other words, there exists no method of determining the authorization state without testing all possible decision outcomes"

Actually, it seems that making a widget to perform per-object audits ought to be possible (and I haven't thought about per-user audits but I'll venture that's straightforward, too.)  To see what users could potentially access an object, it would only be necessary to collect the access tags on the object, then collect all XACML rules (on the PDP protecting the resource) that referenced those tags, and collect all the user attrib/values referenced by those rules. Assuming you had access to a user's collection of access attributes, that should let you determine PERMIT/DENY for that user. And if you had access to a directory-full of users and their attribs, you could identify all users in that set that could access that object. (And you could advertise the availability of the resource to them!) 

Martin

On Sun, Dec 6, 2015 at 9:45 PM, David Brossard <david.brossard@axiomatics.com> wrote:

The download URL to the paper is http://csrc.nist.gov/publications/drafts/800-178/sp800_178_draft.pdf

Unfortunately I have not been able to find resources on NGAC. My understanding is that it's research that's been ongoing for the past 10 years at NIST.

Regarding encoding, there seems to be this misconception that XACML is XML. That is simply not true. XACML is a standard for access control based on policies and attributes. The encoding that is put forward by the XACML technical committee is indeed XML and the standard does use a schema as a formal means to express the standard. But that is the extent to which XML is used. XACML can be used for any type of access control and doesn't require XML knowledge or XML-based systems.

As a matter of fact, in the past two years, the standard has been focusing on developer-friendly and lightweight interfaces such as a REST interface for the PDP (work led by Remon Sinnema of EMC) and JSON encoding of a XACML request / response (work led by Axiomatics). It makes XACML 84% smaller. See these slides (http://www.slideshare.net/DavidBrossard/new-school-identity-protocols-fight-for-your-love-final) from the Gartner Catalyst 2013 conference.

Cheers,

David.

--

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

703 506-0159

703 389-3224 mobile