OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] [policy-model]: group membership flatterning

  • 1.  [xacml] [policy-model]: group membership flatterning

    Posted 10-15-2001 03:58
    Title: [policy-model]: group membership flatterning In our last discussion on the policy model conf call a question was raised as to how to compute group closure in the pdp. I assume that we are using saml protocol (or it's extension) for authorization decision queries. There are several sources for group membership information. 1. It could be provided as evidence in the query itself. 2. pdp could query attribute authorities (1 or more) for the subject group membership. 3. pdp can maintain group hierarchy locally. Pdp can maintain a policy on how to compute group closure for various subjects and resources. This policy could specify combinations of 1, 2, and 3. One policy could be that evidence from the request should be ignored, and direct group membership should be taken from attribute authorities, and group hierarchy should be kept in the pdp. In this case input from 1 is ignored and 2 is used in 3 for closure computation. Or we can take group membership from the evidence in the request only. Allowing pdp to specify a policy for group membership computation provides for the most flexibility. Simon Godik Crosslogix