OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] Boolean Policy resolution

  • 1.  Re: [xacml] Boolean Policy resolution

    Posted 02-03-2002 18:21
    
    Greetings,
    
    After a week of not reading email, it's made for a hell of a Sunday.
    I'll look forward to the con call tomorrow.
    
    As I have only skimmed Ann and Bill's arguments, I was thinking about this
    these very problems last week while in my other OMG venue.
    
    Base Policy. I think that the "Base" policy is merely a logical term that
    refers to the policy that the PDP abides by. It may not be reproducible
    in a practical manner (i.e. too large, etc.).
    
    As for Bill's existence of a default policy I agree, I had this same
    concept in SAL,
    http://www.omg.org/news/meetings/workshops/presentations/docsec_present/2000/sal-ws1.pdf.
    Although, not the direct subject of the paper, you might see that if you
    defined a policy, you had to "apply" it to get it to work. Also, you had
    to do so with a default policy of "Allow" or "Disallow",
    
    (Apply "named policy" Disallow)
    
    That is because the language follows the 3 valued logic approach. The
    named policy may evaluate to "DoNotUse", in which case the policy engine
    needed a default.
    
    However, you are not going to get anywhere without the "Apply" construct,
    i.e. Administrative interfaces to the PDP. (I think these interfaces are
    out of the scope of XACML.) Unless you have notions like "set_policy" or
    "add_policy" and their semantics, you will not have any semantics about
    "what" policy a given PDP should follow.
    
    As for the logic, I would follow a three valued logic, and let "Error" be
    an artifact of evaluation.
    
    I envisioned the applicable policy to contain the following semantic
    notation.
    
    Typed Inputs (SAML?):
    R - Resource
    A - Action
    S - Subject
    
    3 Valued (T,F,N) Policy Predicates Notation:
    
    AP - Applicable Policy
    P - Combined Policy (And, Or, etc.)
    
    2 Valued Predicates (T,F)
    T - Target Predicate
    J - Subject Predicate
    
    An Applicable Policy is of the form:
    
    AP(R,A,S) == T(R,A) and J(S) -> P(R,A,S)
    
    The "AP" is an applicable policy that is merely just a 3 valued predicate
    that is structured with a predicate, T, on the target (R,A), and a
    predicate, J, on the subject, S.
    
    The "P" is merely an applicable policy or a combination of predicates on
    R, A, and S, such using "and" and "or".
    
    The logic (truth tables) is as follows. The operator "->" signifies a
    partial function.
    
    and  T  F  N    or  T  F  N     ->   T  F  N
     T   T  F  T    T  T  T   T      T   T  F  N
     F   F  F  F    F  T  F   F      F   N  N  N
     N   T  F  N    N  T  F   N
    
    You will see that this logic explains Ann's proposal. Applicable Policies
    are merely clauses that are structured with the "->" operator.
    
    If the premise of the "->" is false, the policy predicate yields "N"
    (not-applicable). This works nicely with the definitions of "and" and
    "or", as policies will only evaluate to "N" if their constituents evaluate
    as such. Furthermore, combined policies will only evaluate to "N" if *all*
    their constituents evaluate to "N", so short cuts on evaluations can
    happen.
    
    Now, there is a problem, with this pesky "<NOT></NOT>" that is wanted.
    
    May I suggest a solution?
    
    The problem with "not" is that it usually means "compliment" of the set.
    With a 2 valued logic, {T,F} is okay because they are compliments of each
    other (although when you go to first order logic, you're back in the same
    boat, but I digress). With a three valued logic, that is much more
    difficult. So, I would suggest to define "Not" operators for those things
    where the compliments are well defined, or that are of concern to the
    group. Such as
    
    Positive         Negative
    --------         --------
    <equal>   ...   <notEqual>
    <lessThan> ...  <notLessThan>
    <after>    ...  <notAfter>
    etc.
    
    That way you can still have the "not" that Hal's customers want, except
    not in a generalized fashion, which screws up the logic.
    
    <and>
      <not>
          applicablePolicy
      </not>
      ....
    
    </and>
    
    are not legal and cannot exist in the language.
    
    Also, one other point, if we go with this approach, we have to introduce
    value tags, such as "<true/> and <false?> since,
    
    <and>
    </and>
    
    <or>
    </or>
    
    i.e. with 0 constiuents, both evaluate to "N".
    
    So, writing an applicable policy where the T and J predicates are true may
    be all there is needed to indicate that the AP policy evaluates to true.
    
    AP(R,A,S) === T(R,A) & J(S) -> true
    
    
    Do we have an agenda for tomorrow?
    
    Cheers,
    -Polar