OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[Fwd: [xacml-comment] About XACML Administrative policy draft]

  • 1.  [Fwd: [xacml-comment] About XACML Administrative policy draft]

    Posted 07-25-2006 13:10
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: [Fwd: [xacml-comment] About XACML Administrative policy draft]


    The attached questions came in today on the xacml comments list. Here
    are my answers to them:
    
    1. Yes, you are correct. Having an indirect delegates condition inside a
    target that does not match administrative request does not make sense.
    However, there is nothing that disallows you from writing such a policy.
    Personally, I don't think it is necessary to add such a restriction.
    There are infinite ways to write policies that do not make sense, and I
    don't think this case needs any special treatment.
    
    Yes, you are also correct that there is no way to match any delegate.
    This is a know problem with the current draft. See issue 33 at
    
    http://wiki.oasis-open.org/xacml/IssuesList
    
    Before we address this issue we are going to wait for the rewrite of the
    core schema to allow arbitrary attribute categories.
    
    2. Yes, you are correct, <IndirectDelegatesCondition> can only be used
    inside a condition. This is be design since the target is primarily
    intended for quick indexing/pruning, and the general opinion was that
    there is no need to index on the indirect delegates.
    
    Best regards,
    Erik
    
    
    --- Begin Message ---
    Dear XACML Committee�� 
      
    I have some questions on XACML administrative policy to clarify.
    
    1. <Delegates> element is added to <Target>. So the <PolicySet> <Policy> and <Rule> could include it. <IndirectDelegatesCondition> mostly appears in the <Condition> of <Rule>. I think there exist a implicit relation between <Delegates> and <IndirectDelegatesCondtion>. If there doesn't exist <Delegates> in a policy, there shouldn't exist <IndirectDelegatesCondition> in <Rule>. The reason is that <IndirectDelegate>must not be present if the <Delegates> element is not present in context. There is another problem is that how we express any delegate. According to XACML normal logic, not present means any,like subject ,resource. But in the situation,we couldn't construct a request including only indirect delegate without delegate. I remember someone (sorry I forgot his/her name) suggested using <Delegates> <AnyDelegate> </Delegates> to express any delegate in target. I think it maybe solve it.
    
    2. I can't image how to use <IndirectDelegatesCondtion> except in <Condition>. If <IndirectDelegatesCondition>  can be used outside <Condition> of rule, pls give me a simple example and explain it. Thanks.
      
    
    Best Regards
    
    Li XiaoFeng
    
    Email:xiaofeng03 (at) iscas (dot) cn   lxf (at) is (dot) iscas (dot) ac (dot) cn
    Department:LOIS,Institute of Software Chinese Academy of Sciences
    Address:4# South Fourth Street, Zhong Guan Cun, Beijing,P.R. CHINA
    
    2006-07-25 
    
    --- End Message ---


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]