OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] Boolean Policy resolution

  • 1.  [xacml] Boolean Policy resolution

    Posted 01-29-2002 16:48
    Colleagues, Attached is the write-up of the Boolean Policy proposal (plain text) that I presented at the Face-to-Face. This version includes all the comments and modifications made during the review and discussion. Open issues that were not agreed on are in [...]. This was discussed prior to Simon's alternative proposal, so does not include additional modifications that may be required by that. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Predicate: an expression that evaluates to TRUE, FALSE, NOT-APPLICABLE, or ERROR. Relational expresssions, Combinator expressions, <xacml:policy> elements, <xacml:applicablePolicyReference> elements, and <xacml:applicablePolicy> elements are all Predicates. Relational expression: a Relational expression is a Predicate that compares a value relevant to the Access Request with another value relevant to the Access Request or with a literal value. A Relational expression never evaluates to NOT-APPLICABLE. A Relational expression evaluates to ERROR if the expression can not be evaluated for any reason, such as inability to access a value in the predicate. Combinator: an operator that can be used to combine Predicates. Combinator expression: A Combinator expression is the operator and the Predicates to which it applies. A Combinator expression is itself a Predicate. A Combinator expression evaluates to ERROR if any of the Predicates to which it applies and which are evaluated as part of producing a result evaluates to ERROR. A Combinator expression evaluates to NOT-APPLICABLE if all of its component Predicates evaluate to NOT-APPLICABLE. A Combinator expression in which some, but not all of the Predicates to which it applies evaluates to NOT-APPLICABLE is evaluated as if the NOT-APPLICABLE Predicates were removed from the Combinator expression. An empty Combinator expression evaluates to [NOT-APPLICABLE]. The xacml-defined Combinators are AND, OR, NOT, N-OF, ORDERED-AND, ORDERED-OR, and ORDERED-N-OF. AND, OR, NOT, and N-OF Combinators are implemented such that the order of evaluation is not specified, and such that only a sufficient set of predicates to determine a result are evaluated. ORDERED-* Combinators require that the Predicates to which they apply be evaluated in order until a result is obtained. N-OF(*) means at least N of the Predicates to which it applies must be TRUE. E.g. <N-OF n=3> P1 P2 P3 P4 </N-OF> It is an error for an <N-OF> Combinator expression to have an n= attribute value that is greater than the number of predicates to which the combinator applies. n=1 is equivalent to OR. [n=0 is ...]. The set of Combinators may be extended by [specifying a name for the new Combinator, a URI that is associated with the semantics of the new Combinator, and a type that specifies the way the URI is to be interpreted. Not all XACML PDPs will be able to interpret all extensions, but any PDP that can handle the specified type and can access the specified URI can handle the specified extended Combinator.] An example of a possible extended Combinator is BEST-MATCH-OR. [The type for such an extended Combinator might be JavaClass . The URI for each might point to a Java class that takes a set of Predicates as input and implements the semantics of the combinator to return a result of TRUE, FALSE, NOT-APPLICABLE, or ERROR.] Policy: an <xacml:policy> element. A Policy is a Predicate. Base Policy: the <xacml:applicablePolicy> element that specifies the <xacml:policy> element that a PDP will use [by default] to evaluate all Access Requests. [Alternative 1: A PDP MAY have multiple Base Policies, but such Base Policies SHOULD have non-overlapping <xacml:target> elements. This specification does not specify the order in which multiple Base Policies are evaluated, or the result if two or more Base Policies have overlapping <xacml:target> elements. Alternative 2: Base Policies have restricted <target> elements that are easily compared for overlap. In this alternative, the case where base policies overlap is an ERROR. Note that the 0.8 syntax favors this alternative and allows Alternative 3. Alternative 3: There is only one Base Policy and it has no <target> because applies to all Resource or it has a <target> element that completely specifies the set of resources which this PDP is prepared to handle.] [A Base Policy for evaluating a particular Access Request may be specified as part of the Access Request. If a PDP has no default Base Policy, then the result of evaluating an Access Request that does not specify a Base Policy to use is FALSE (deny access).] <applicablePolicyReference>: an XACML Predicate element that references an <xacml:applicablePolicy>. [Redundant: A <xacml:applicablePolicyReference> Predicate returns a value of NOT-APPLICABLE if its <xacml:target> element does not match the [<saml:resource>] in the Access Request.] [The syntax for a <applicablePolicyReference> will need to be defined further, probably by specifying the Policy Authority for the <applicablePolicyReference> along with other information. Need to avoid cycles.] Aggregate Policy: the collection of policies consisting of a Base Policy along with the closure of the tree of any <xacml:applicablePolicyReference> elements to which the Base Policy may refer. If a Base Policy does not refer to any <xacml:applicablePolicyReference> elements, then the Aggregate Policy is equivalent to the Base Policy. Example 1: a self-contained Aggregate Policy <?xml version= 1.0 encoding= UTF-8 ?> <applicablePolicy xmlns=... issuer= <identity that ultimately controls policy for this PDP> policyName= xxxx > <!-- target is optional --> <policy> <or> <equal> <valueRef>saml:Subject/principalIdentifier/Name</valueRef> <value> Anne Anderson </value> </equal> <equal> <valueRef>saml:Subject/principalIdentifier/Name</valueRef> <value> Sekhar Vajjhala </value> </equal> </or> </policy> </applicablePolicy> Example 2: an Aggregate Policy containing a <applicablePolicyReference> Predicate <?xml version= 1.0 encoding= UTF-8 ?> <applicablePolicy xmlns=... issuer= <identity that ultimately controls policy for this PDP> policyName= xxxx > <!-- target is optional --> <policy> <or> <equal> <valueRef>saml:Subject/principalIdentifier/Name</valueRef> <value> Anne Anderson </value> </equal> <applicablePolicyReference> http://www.sun.com/CorporatePolicy </applicablePolicyReference> </or> </policy> </applicablePolicy> The Sub-Policy obtained by doing a GET on http://www.sun.com/CorporatePolicy is: <applicablePolicy xmlns=... issuer= <identity that defines Sun Corporate Policy> policyName= xxxx > <target resourceClassification= *.sun.com/* resourceToClassificationTransform= regularExpressionURI /> <policy> <equal> <valueRef>saml:Subject/principalIdentifier/Name</valueRef> <value> Sekhar Vajjhala </value> </equal> </policy> </applicablePolicy> If the <Resource> in the Access Request matches *.sun.com/* , then this <xacml:applicablePolicyReference> will return TRUE, FALSE, or ERROR. If the saml:authorizationQuery Resource does not match *.sun.com/* , then this sub-policy will return NOT-APPLICABLE. In this case, the Aggregate Policy is equivalent to the single remaining predicate. A <xacml:policy> element evaluates to NOT-APPLICABLE it its outermost Predicate evaluates to NOT-APPLICABLE.