Implementing global deny semantics using schema 0.8 and meta-policies USE CASE: policy is to deny access to Principal Anne Anderson under all conditions. The policy is distributed across many sub-policies, which are all combined to produce the global policy that is to be applied. Michiharu's concern was with needing to put something like <not> <equal> <valueRef entity= principal >saml:Subject/NameIdentifier/Name</valueRef> <value> Anne Anderson </value> </equal> </not> into every sub-policy if there was no global deny syntax. My proposed solution depends on the idea of having meta-policies. I think meta-policies solve multiple problems: 1. where do I get policies , 2. knowing when you have obtained all the relevant policies, 3. knowing how to combine policies 4. being able to implement global deny and meta-policies does not introduce any new syntax. It is just very explicit in specifying what applicable policy means. SOLUTION Each PDP (or PRP) needs to be configured with a single policy that serves as that PDP's meta-policy . The syntax of this single policy is exactly that in 0.8. This meta-policy determines where and under what conditions various sub-policies are retrieved. I may not be using <externalFunction> correctly, or the subpolicies may need more enclosing namespace information, but I hope these examples will give the idea. The final example shows how global deny semantics are implemented. EXAMPLE SIMPLE META-POLICY FOR DISTRIBUTED POLICIES: <?xml version= 1.0 encoding= UTF-8 ?> <applicablePolicy xmlns=... issuer= <identity that ultimately controls policy for this PDP> policyName= ... > <!-- target omitted, since this policy applies to all targets --> <policy> <and> <externalFunction>
http://www.site1/policy1.xml </externalFunction> <externalFunction>
http://www.site2/policy2.xml </externalFunction> ... </and> </policy> </applicablePolicy> What is found at each of the <externalFunction> locations is another <applicablePolicy>, which may be more specific as to which resources it applies to (that applicablePolicy in turn may refer to still other policies). If one of these <applicablePolicy> elements does not apply to the current request, then the result is does not apply and does not affect the result of the <and> evaluation. META-POLICY THAT USES SUB-POLICIES BASED ON RESOURCE <?xml version= 1.0 encoding= UTF-8 ?> <applicablePolicy xmlns=... issuer= <identity that ultimately controls policy for this PDP> policyName= ... > <!-- target omitted, since this policy applies to all targets --> <policy> <or> <and> <equal> <valueRef>saml:Resource</valueRef> <value> file:/host1/* </value> </equal> <externalFunction>
http://www.site1/policy1.xml </externalFunction> </and> <and> <equal> <valueRef>saml:Resource</valueRef> <value> file:/host2/* </value> </equal> <externalFunction>
http://www.site2/policy2.xml </externalFunction> </and> ... </or> </policy> </applicablePolicy> META-POLICY THAT IMPLEMENTS GLOBAL DENY SEMANTICS <?xml version= 1.0 encoding= UTF-8 ?> <applicablePolicy xmlns=... issuer= <identity that ultimately controls policy for this PDP> policyName= ... > <!-- target omitted, since this policy applies to all targets --> <policy> <and> <not> <equal> <valueRef entity= principal >saml:Subject/NameIdentifier/Name</valueRef> <value> Anne Anderson </value> </equal> </not> <or> <and> <equal> <valueRef>saml:Resource</valueRef> <value> file:/host1/* </value> </equal> <externalFunction>
http://www.site1/policy1.xml </externalFunction> </and> <and> <equal> <valueRef>saml:Resource</valueRef> <value> file:/host2/* </value> </equal> <externalFunction>
http://www.site2/policy2.xml </externalFunction> </and> ... </or> </and> </policy> </applicablePolicy> For administrative ease in a more realistic situation, the set of globally denied attribute/value combinations would be placed in one <externalFunction> policy. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692