OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] json policy profile?

Hi David, Martin, et al,

I was thinking more in terms of a policy exchange format, as opposed an alternative
user-interfacing form. For example, we have started some policy exchange efforts
in the past, however, I think they have been moth-balled:
ref'd on home page under topic: "The following work items are not currently under active development or discussion,
Âbut have not officially been withdrawn."

I think the general use case is where one might have a large central policy repository,
possibly within one giant XACML PolicySet, and that segments of that central policy
need to be distributed to locations that require only that segment. The endpoint may
not need to change the form back to XML.

For example, an external json Request may come in to a local endpoint, and the local
software might contain a mini-pdp aimed at validating the json request against
a json policy.

I'm not pushing for an effort on this, at this point, just wondering what the feasibility
of such a use case might be.


On 10/26/2018 11:49 AM, Martin Smith wrote:
David, all-- I definitely agree that it would be great to have a more "user-friendly" policy language. I think a common language would be better than relying on different tool makes to make the XML grammar user-friendly in their own separate ways. And by "better" I mean better for vendors as well as users, since a more approachable policy language would increase general interest and uptake of the XACML approach to ABAC.Â

However, I'd further suggest that the ideal policy language would not be aimed at programmers, but at policy analysts. So although ALFA is a big improvement over XML, it's still aimed at IT people and not policy people, and one of the obstacles to ABAC adoption (IMHO) is that it keeps being treated as "an IT thing."ÂÂ


On Fri, Oct 26, 2018 at 11:36 AM David Brossard <david.brossard@axiomatics.com> wrote:
Hi Rich, all,

This is a recurring question. It's been asked on Stackoverflow. If you remember, there was a lab in Ireland that had worked on a JSON format. Bernard Butler wrote on this mailing list about it. See here. In the Stackoverflow question I linked to above, Cyril Dangerville mentions that they used a direct XML-to-JSON mapping to achieve XACML policies in JSON:

there are well-known conventions to convert XML to JSON (with limitations), mostly used by REST API frameworks. So if you know the XML format, the convention tells you the JSON format. For example, Apache CXF used to support two conventions: Badgerfish and the mapped convention. Badgerfish is no longer maintained in CXF therefore the mapped convention is preferred now.Â
The mapped convention is what AuthzForce Server - another ABAC/XACML implementation - uses for the RESTful PAP (Policy Administration Point) API, so that you can manage XACML policies in either XML (standard XACML) or JSON format. We used the JSON format for _javascript_-based apps (e.g. web user interface) in particular.

That being said, I do not see the value of expressing policies in pure JSON. The storage / serialization format is irrelevant. What matters is providing an easy means to write policy-based access control. That could either be via a UI (vendor/implementation-specific such as Axiomatics Policy Server) or via a lightweight syntax that is easy to read and write. This is why I think we should focus our attention on ALFA instead. It's look more like a programming language that JSON does (JSON being declarative). The ALFA Profile is here. Also, we've put a lot of efforts into samples on Wikipedia. Our customers all use ALFA and we are aware of other third parties using ALFA on their own e.g. theÂOpen Justice Broker Consortium and even WSO2.

Also, while we're at it, shouldn't we consider streamlining the policy language e.g.:
  • have conditions anywhere, not just rules
  • get rid of targets and only have conditions
  • do away with PolicySet > Policy > Rule and provide a simple Policy element whereby a Policy either contains a decision or a set of children
  • many more things...

On Thu, Oct 25, 2018 at 10:59 AM rich levinson <rich.levinson@oracle.com> wrote:
To TC:

Have we had any discussion on converting the whole XACML Policy spec
to JSON? Currently, only the request and response are documented
in json form?

Have there been any requests for this capability?

ÂÂ Thanks,
ÂÂ Rich

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:

David Brossard
VP of Customer Relations
+1Â312 774-9163
+1 502 922 6538

Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 506-0159
703 389-3224 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]