OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Break the Glass - was: [xacml] Minutes for 27 April 2017 TC Meeting

On 28/04/2017 6:56 AM, rich levinson wrote:

  Break the Glass (for ref):
    Bill:
     A draft document was posted by David Chadwick on the XACML email list:
      https://lists.oasis-open.org/archives/xacml/201102/doc00000.doc

     martin: seems like could be supported w core xacml
     rich: basically agrees,
      but there are other perspectives that need to be considered.


In one of the implementation options the document offers there are requirements
placed on the context handler that are outside core XACML. However I think the
proposal is more complicated than it needs to be. Rather than deny access and
provide an obligation (really it's advice) that tells the PEP that the user is
allowed to break the glass and try again, I would provide a Permit result and an
obligation that says that access is permitted only if (because it's an obligation)
the user elects to break the glass. If the PEP doesn't understand then the result
becomes Deny. If the PEP understands but is unable or unwilling to proceed with the
glass breaking the result still becomes Deny. If the PEP follows through with
obtaining user consent and the user agrees then access is permitted without any
follow up requests to the PDP. If the user isn't permitted to break the
glass to get access then the result wouldn't be Permit in the first place. The
preceding doesn't require any special support from the context handler, PDP or PAP.

If the obligation identifies which "pane" of glass needs to be broken then any
subsequent authorization requests requiring the same pane to be broken can
proceed without delay because the PEP and user already broke that pane. It is
left to the PEP to decide when to "fix" the pane, as appropriate to the context,
without bothering the PDP with a ResetBreakTheGlass action or the need to keep
state.

Whether going with a deny solution or permit solution, the most challenging part
is designing the policies such that, respectively, the Deny obligation isn't
returned when the user isn't allowed to break the glass, or the Permit obligation
isn't returned when the user has access anyway without breaking the glass.

Regards,
Steven

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]