OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

attribute with AttributeId="...:subject-id" containing the "identity"of a subject ?

  • 1.  attribute with AttributeId="...:subject-id" containing the "identity"of a subject ?

    Posted 04-04-2005 23:36 
     MHonArc v2.5.0b2 -->

















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]
    


    







    Subject: attribute with AttributeId="...:subject-id" containing the "identity"of a subject ?
    







    



    In XACML, we don't seem to distinguish the attributes by type as being 
either identity-attributes or "just-attributes", where the identity 
attributes would be special as they would uniquely identify that 
subject/resource/action.

Instead we use this special subject-id/resource-id/action-id AttributeId 
that fullfills a similar role.

However, if a requester comes in, the request context creation code has 
to "know" what identifier to use for that subject-id, otherwise it 
wouldn't match the one used in the policy matching rules.

So, one should know to use a X509 subject-name's DN, or the public key, 
and if that same user authenticates tomorrow with kerberos, then 
principal@realm will only work if you "know" to use an associated 
identity assertion that federates those names and to fill-in the right 
one for that subject-id.

We have the added issue that when issuers are associated with policies, 
then we need the issuer's attributes to use a subject-id such that we 
can match it to additional attributes that may be available when that 
issuer is substituted by the PDP in the xacml-context:Request.

As an alternative, could we maybe label the attributes with a boolean 
"Identifier", such that we could use that in our matching functions 
like: see if any of the subject's attributes for which 
"Identifier==TRUE", match my subject-id value.

Having such an "Identifier" attribute for Attribute, would also allow 
you to specify a true XACML Attribute assertion as a collection of 
Attributes with at least one Attribute for which "Identifier==TRUE".
(I guess the latter would also be possible if the attribute set included 
one for which AttributeId=="...:subject-id")

-Frank.


-- 
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory


    





    






    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]


Related Content