[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Groups - XACML v3.0 Dynamic Attribute Authority Version 1.0 uploaded
Hi Hal, On 12/05/2021 12:43 am, Hal Lockhart wrote:
This looks very good (as usual). 1. The "No Denys" rule seems likely to cause simple errors and confusion. Is there any reason it can't simply be declared illegal and check every DAA Request before processing?
Given the goal to maximize the reuse of existing components (PDP, PAP, etc) as is, the only place to enforce the specification is in the DAA processing in the context handler. I chose to treat a Deny result from the DAA the same as NotApplicable in case someone else found a use case for Deny in DA policies that I hadn't anticipated. I don't have a problem with having a Deny result from the DAA cause the overall result to be Indeterminate instead. My approach to implementation has been towards creating a streamlined, specialized PAP for the DAA that just doesn't create policies that can evaluate to Deny, so how the context handler deals with it is not significant to me. The Architectural Considerations section in the draft is reserved for discussion of such things.
2. The complexity of this scheme suggests to me that good tooling will be essential. In addition to the usual "what if" and automated regression testing, it seems to me that it would be useful to model the abstract scheme that is being implemented.
That is what I am doing with the PAP implementation and will discuss in Architectural Considerations.
For example, if you are mapping Subjects and/or Resources from various organizations to a Enterprise-wide Subject or Resource it would be desirable to be able to specify the data model of at least the Enterprise entities as well as the organization-specific ones and the mapping between them.
I wasn't specifically thinking about explicit PAP support for mappings and transformations but I can add it to Architectural Considerations. One can imagine a streamlined PAP for DA policies in general, but also further specializations of that for role enablement or mapping/transformation. Thanks for the review. Regards, Steven
I am not familiar with the ViewDs product features, but I offer this suggestion to any or all XACML providers.
Hal
On Fri, Apr 30, 2021 at 12:50 AM Steven Legg <steven.legg@viewds.com <mailto:steven.legg@viewds.com>> wrote:
/Submitter's message/
I added some examples to show how the DAA is expected to work.
There are no changes to the technical content.
-- Dr. Steven Legg
*Document Name*: XACML v3.0 Dynamic Attribute Authority Version 1.0 <https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=68553>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*Description*
This specification defines a new XACML system component, the Dynamic
Attribute Authority, which augments the request context of an XACML
authorization request with additional attributes and attribute values that
are generated on demand according to a set of rules. The rules are
expressed as XACML policies, use obligations to specify the additional
attributes and values, and are processed in the normal manner of a Policy
Decision Point. This means that a Dynamic Attribute Authority can be
readily constructed from existing XACML system components.
A primary use case for the Dynamic Attribute Authority is role enablement,
where the dynamic attribute in question is the subject role.
Download Latest Revision <https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/68553/latest/xacml-3.0-dyn-attr-v1.0-wd02.docx>
Public Download Link <https://www.oasis-open.org/committees/document.php?document_id=68553&wg_abbrev=xacml>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*Submitter*: Dr. Steven Legg
*Group*: OASIS eXtensible Access Control Markup Language (XACML) TC
*Folder*: Specifications and Working Drafts
*Date submitted*: 2021-04-29 21:50:16
*Revision*: 1
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]