OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Expand all | Collapse all

XACML & RDF

  • 1.  XACML & RDF

    Posted 12-01-2011 09:34
    Paul, About http://wiki.oasis-open.org/xacml/XACMLandRDF "XACML and RDF" "2. Add provisions in the request/response syntax to identify resources, subjects, and actions by URI alone." According to the 3.0 core spec (lines 2418-2419), attributes are identified by all of category, attributeId, data type, and issuer (if present). I'm assuming there were good reasons to include category et al? In practice, I don't think I've seen any attributeId reused across categories. Is anyone actually doing that? "3. Extend the policy language to test ontological conditions such as subclass membership and class relations." What extensions do you think are necessary to support such features? "Attributes/properties of what?" The Document example rule matches any document, but in practice one would often want to grant access to a limited set of documents. I think we need to some semantic definitions on attribute *values* to handle this. That seems to be the case for hierarchical actions as well. Another example where that would be helpful is with hierarchical roles. A policy may grant access to 'employee', but the request may specify 'manager' as the value for the role-id attribute. The ontology should be able to define that 'manager' implies 'employee'. The RBAC profile allows us to specify such a role hierarchy, but not very elegantly IMHO, since the permission PolicySets "must be stored in the policy repository in such a way that they can never be used as the initial policy for an XACML PDP" (lines 160-161). Defining the role hierarchy as an ontology, and specifying some machinery in the context handler to process ontologies could improve the RBAC profile. "RDF for attribute metadata" "We don't want to force the PEP to include type="Document" and type="SpecialDocument". So the first thing the PIP does is to discover all the additional types entailed from the initial request context." According to Figure 1 of the core 3.0 spec (lines 475-478), the PIP is asked for attribute values *after* the PDP decides it needs them. What in the Document/SpecialDocument example would make the PDP request attribute values from the PIP? Or did you mean the context handler? Thanks, Ray


  • 2.  RE: XACML & RDF

    Posted 12-01-2011 15:25
    Hi Ray, >


  • 3.  RE: Context Handler (was: XACML & RDF)

    Posted 12-05-2011 14:38
    Paul and others, >


  • 4.  Re: [xacml] RE: Context Handler

    Posted 12-14-2011 08:10
    Ray, I don't think that a REP would add any value to the spec. The context handler already has all the capability to do this. Best regards, Erik On 2011-12-05 15:37, remon.sinnema@emc.com wrote: Paul and others,


  • 5.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 09:41
    Erik, >


  • 6.  Re: [xacml] RE: Context Handler

    Posted 12-19-2011 10:08
    Ray, To add hierarchical actions or semantic entailment, you can provide this through a PIP in the architecture. Why would you need to change anything? Best regards, Erik On 2011-12-19 10:40, remon.sinnema@emc.com wrote: Erik,


  • 7.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 10:43
    Erik, >


  • 8.  Re: [xacml] RE: Context Handler

    Posted 12-19-2011 13:59
    Hi Ray, I did not understand that. As far as I can see, when the PDP needs the "type" attribute, it can ask a PIP to provide it. The PIP has all attributes of the request available as key values. How is this different from a REP? The available information seems to be the same in either case. What did I not get? Best regards, Erik On 2011-12-19 11:43, remon.sinnema@emc.com wrote: Erik,


  • 9.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 14:25
    Erik, >


  • 10.  Re: [xacml] RE: Context Handler

    Posted 12-19-2011 15:02
    Hi Ray, Ok, I understand, but I would say that this is a flaw in the implementation in this case. Just because the PEP provides one value for an attribute does not mean that a PIP should not be able to augment it with more values. There are many attributes which may have some values provided by a PEP and others by a PIP. For instance, a user may login with a token which has a user group, but a PIP could provide more groups from an external directory. Best regards, Erik On 2011-12-19 15:24, remon.sinnema@emc.com wrote: Erik,


  • 11.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 15:11
    Erik, >


  • 12.  Re: [xacml] RE: Context Handler

    Posted 12-19-2011 15:48
    On 2011-12-19 16:11, remon.sinnema@emc.com wrote: Erik,


  • 13.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 16:42
    Erik, >


  • 14.  Re: [xacml] RE: Context Handler

    Posted 12-20-2011 08:53
    Hi Ray, What would be the concrete change you would like to make in this case? Could you make a proposal? Also, could you handle it by the PIPs, rather than introducing an entirely new component like the REP? Best regards, Erik On 2011-12-19 17:41, remon.sinnema@emc.com wrote: Erik,


  • 15.  RE: [xacml] RE: Context Handler

    Posted 12-22-2011 14:15
    Erik, >


  • 16.  Privacy Preserving Attribute Verification

    Posted 01-04-2012 18:06


  • 17.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 14:25
    I agree partially with both Erik and Ray. I don't think a new architectural component is required. "Context handler" is sufficiently underspecified to allow any desired level of semantic entailment. I don't think semantic entailment should be "just another PIP", although it could probably be implemented that way. The important point is that there must be some way for the policy author to specify the ontology that governs the world for which he is writing policies. And, developers of PEPs and PIPs must know about this ontology. Currently, policy authors and component developers only need to agree on a common attribute vocabulary. For semantic XACML, they need furthermore to agree on an ontology that defines classes and relationships among them. This agreement could happen "out of band" (as currently happens with the attribute vocabulary), or it could be specified in a XACML syntax instance (perhaps by naming an ontology in a Policy or PolicySet). Regards, --Paul >


  • 18.  RE: [xacml] RE: Context Handler

    Posted 12-19-2011 15:06
    Paul, Erik, >