Hi David, Martin, et al,
I was thinking more in terms of a policy exchange format, as opposed
an alternative
user-interfacing form. For example, we have started some policy
exchange efforts
in the past, however, I think they have been moth-balled:
Â
https://www.oasis-open.org/committees/download.php/9582/access_control-xacml-3_0-distribution-rquirements-wd-01.pdf
ref'd on home page under topic: "The following work items are not
currently under active development or discussion,
Âbut have not officially been withdrawn."
I think the general use case is where one might have a large central
policy repository,
possibly within one giant XACML PolicySet, and that segments of that
central policy
need to be distributed to locations that require only that segment.
The endpoint may
not need to change the form back to XML.
For example, an external json Request may come in to a local
endpoint, and the local
software might contain a mini-pdp aimed at validating the json
request against
a json policy.
I'm not pushing for an effort on this, at this point, just wondering
what the feasibility
of such a use case might be.
 Thanks,
 Rich
On 10/26/2018 11:49 AM, Martin Smith
wrote:
David, all-- I definitely agree that it would be
great to have a more "user-friendly" policy language. I think a
common language would be better than relying on different tool
makes to make the XML grammar user-friendly in their own
separate ways. And by "better" I mean better for vendors as
well as users, since a more approachable policy language would
increase general interest and uptake of the XACML approach to
ABAC.Â
However, I'd further suggest that the ideal policy language
would not be aimed at programmers, but at policy analysts. So
although ALFA is a big improvement over XML, it's still aimed
at IT people and not policy people, and one of the obstacles
to ABAC adoption (IMHO) is that it keeps being treated as "an
IT thing."ÂÂ
Martin
Hi Rich, all,
This is a recurring question. It's been asked on Stackoverflow.
If you remember, there was a lab in Ireland that had
worked on a JSON format. Bernard Butler wrote on this
mailing list about it. See here. In
the Stackoverflow question I linked to above, Cyril
Dangerville mentions that they used a direct
XML-to-JSON mapping to achieve XACML policies in JSON:
there are
well-known conventions to convert XML to JSON
(with limitations), mostly used by REST API
frameworks. So if you know the XML format, the
convention tells you the JSON format. For example,
Apache CXF used to support two conventions:
Badgerfish and the mapped convention. Badgerfish
is no longer maintained in CXF therefore the
mapped convention is preferred now.Â
The mapped
convention is what AuthzForce Server - another
ABAC/XACML implementation - uses for the RESTful
PAP (Policy Administration Point) API, so that you
can manage XACML policies in either XML (standard
XACML) or JSON format. We used the JSON format for
_javascript_-based apps (e.g. web user interface) in
particular.
That being said, I do not see the value of
expressing policies in pure JSON. The storage /
serialization format is irrelevant. What matters
is providing an easy means to write policy-based
access control. That could either be via a UI
(vendor/implementation-specific such as Axiomatics
Policy Server) or via a lightweight syntax that is
easy to read and write. This is why I think we should
focus our attention on ALFA instead. It's look more
like a programming language that JSON does (JSON being
declarative). The ALFA Profile
is here. Also, we've put a lot of efforts into
samples on Wikipedia.
Our customers all use ALFA and we are aware of other
third parties using ALFA on their own e.g. theÂOpen
Justice Broker Consortium and even WSO2.
Also, while we're at it, shouldn't we consider
streamlining the policy language e.g.:
- have conditions anywhere, not just rules
- get rid of targets and only have conditions
- do away with PolicySet > Policy > Rule and
provide a simple Policy element whereby a Policy
either contains a decision or a set of children
- many more things...
Thoughts?
To TC:
Have we had any discussion on converting the whole XACML
Policy spec
to JSON? Currently, only the request and response are
documented
in json form?
Have there been any requests for this capability?
ÂÂ Thanks,
ÂÂ Rich
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the
OASIS TC that
generates this mail. Follow this link to all your TCs in
OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
--
David Brossard
VP
of Customer Relations
+1Â312
774-9163
+1 502 922
6538
--
Martin
F Smith, Principal
BFC
Consulting, LLC
McLean,
Va 22102
703
506-0159
703
389-3224 mobile
|