Hi David, Martin, et al, I was thinking more in terms of a policy exchange format, as opposed an alternative user-interfacing form. For example, we have started some policy exchange efforts in the past, however, I think they have been moth-balled:
https://www.oasis-open.org/committees/download.php/9582/access_control-xacml-3_0-distribution-rquirements-wd-01.pdf ref'd on home page under topic: The following work items are not currently under active development or discussion, but have not officially been withdrawn. I think the general use case is where one might have a large central policy repository, possibly within one giant XACML PolicySet, and that segments of that central policy need to be distributed to locations that require only that segment. The endpoint may not need to change the form back to XML. For example, an external json Request may come in to a local endpoint, and the local software might contain a mini-pdp aimed at validating the json request against a json policy. I'm not pushing for an effort on this, at this point, just wondering what the feasibility of such a use case might be. Thanks, Rich On 10/26/2018 11:49 AM, Martin Smith wrote: David, all-- I definitely agree that it would be great to have a more user-friendly policy language. I think a common language would be better than relying on different tool makes to make the XML grammar user-friendly in their own separate ways. And by better I mean better for vendors as well as users, since a more approachable policy language would increase general interest and uptake of the XACML approach to ABAC. However, I'd further suggest that the ideal policy language would not be aimed at programmers, but at policy analysts. So although ALFA is a big improvement over XML, it's still aimed at IT people and not policy people, and one of the obstacles to ABAC adoption (IMHO) is that it keeps being treated as an IT thing. Martin On Fri, Oct 26, 2018 at 11:36 AM David Brossard <
david.brossard@axiomatics.com > wrote: Hi Rich, all, This is a recurring question. It's been asked on Stackoverflow . If you remember, there was a lab in Ireland that had worked on a JSON format. Bernard Butler wrote on this mailing list about it. See here . In the Stackoverflow question I linked to above, Cyril Dangerville mentions that they used a direct XML-to-JSON mapping to achieve XACML policies in JSON: there are well-known conventions to convert XML to JSON (with limitations), mostly used by REST API frameworks. So if you know the XML format, the convention tells you the JSON format. For example, Apache CXF used to support two conventions: Badgerfish and the mapped convention. Badgerfish is no longer maintained in CXF therefore the mapped convention is preferred now. The mapped convention is what AuthzForce Server - another ABAC/XACML implementation - uses for the RESTful PAP (Policy Administration Point) API, so that you can manage XACML policies in either XML (standard XACML) or JSON format. We used the JSON format for _javascript_-based apps (e.g. web user interface) in particular. That being said, I do not see the value of expressing policies in pure JSON. The storage / serialization format is irrelevant. What matters is providing an easy means to write policy-based access control . That could either be via a UI (vendor/implementation-specific such as Axiomatics Policy Server) or via a lightweight syntax that is easy to read and write. This is why I think we should focus our attention on ALFA instead. It's look more like a programming language that JSON does (JSON being declarative). The ALFA Profile is here . Also, we've put a lot of efforts into samples on Wikipedia . Our customers all use ALFA and we are aware of other third parties using ALFA on their own e.g. the Open Justice Broker Consortium and even WSO2. Also, while we're at it, shouldn't we consider streamlining the policy language e.g.: have conditions anywhere, not just rules get rid of targets and only have conditions do away with PolicySet > Policy > Rule and provide a simple Policy element whereby a Policy either contains a decision or a set of children many more things... Thoughts? On Thu, Oct 25, 2018 at 10:59 AM rich levinson <
rich.levinson@oracle.com > wrote: To TC: Have we had any discussion on converting the whole XACML Policy spec to JSON? Currently, only the request and response are documented in json form? Have there been any requests for this capability? Thanks, Rich --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- David Brossard VP of Customer Relations +1 312 774-9163 +1 502 922 6538 +46(0)760 25 85 75 Axiomatics 525 W. Monroe Suite 2310 Chicago 60661 Support:
https://support.axiomatics.com Web:
http://www.axiomatics.com Axiomatics Blog Events Resources, Webinars & Whitepapers Connect with us on LinkedIn Twitter Google + Facebook YouTube Stackoverflow -- Martin F Smith, Principal BFC Consulting, LLC McLean, Va 22102 703 506-0159 703 389-3224 mobile