OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Re: XACML Policy Model

    Posted 03-09-2006 17:01
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: XACML Policy Model


    XACML does not fall neatly into any particular logical category.  At the 
    most abstract level, very roughly, an XACML policy is a Boolean 
    combination of predicates, each of which is a functional constraint on 
    the values of a set of variables being evaluated (or on the results of 
    other functional constraints and transformation functions).
    
    The standard functional constraints include simple Boolean comparison 
    functions (X > 5, X == "abc"), higher-order functions (all/at least 
    one/... values of X Boolean-function-variable all/at least one/... 
    values in {"abc", "xyz"}, etc.), regular expression matches, 
    type-specific matches (such as matching X500 Distinguished Names), etc. 
      The values used in the constraint functions may themselves be other 
    variables, results of other constraint functions or of various 
    arithmetic and transformation functions (X > (5 + Y), toUpperCase(X) == 
    "ABC"), etc.  Users are free to define new functional constraints, but 
    XACML itself does not provide a language for expressing functions: users 
    must describe/implement the semantics of the function and then reference 
    it using a unique identifier.  The XACML language itself deals with 
    evaluating parameters to the function and dealing with the results of 
    evaluating the function.  The variables used in constraint and other 
    functions can be pointers into XML documents or discrete named variables.
    
    XACML's "combining algorithms", used to combine results from 
    sub-policies, can be arbitrarily complex.  The standard ones include 
    deny-overrides (roughly Boolean AND) and permit-overrides (roughly 
    Boolean XOR), but users are free to write more complex algorithms that 
    might take into account parameters associated with each sub-policy, for 
    example.  The standard combining algorithms are not simple Boolean 
    operators because we need to handle 4 types of values resulting from 
    policy evaluation: true and false, but also "Indeterminate" (error), and 
    "NotApplicable" (the policy or rule does not apply to the supplied set 
    of variables).
    
    Perhaps others on the list can elaborate or be more specific (or more 
    correct :-)
    
    Regards,
    Anne Anderson
    
    Mine Altunay wrote On 03/09/06 10:52,:
    > Dear list
    > Is there a published paper explaining the formal policy model of XACML. 
    > For example, the formal specification of the rules that can be specified 
    > by XACML.
    > 
    > I have read and worked with Sun's implementation of XACML engine. I am 
    > also fairly familiar with simple policy statements that can be expressed 
    > within XACML. However, my experiece is far from being sufficient to 
    > understand the underlying policy model completely.
    > 
    > A formal policy model would make it very much easier for me to grasp the
    > finer points of XACML, and how we can use/enhance XACML for representing 
    > complicated rule sets.
    > 
    > I have also seen the OASIS Technical Committee for Policy Model. 
    > However, I could not download any of the posted documents due to 404 
    > errors. I beleve this committee is already closed. I would appreciate to 
    > know if they published reports from this committee somewhere else
    > 
    > Any help is highly appreciated Best Regards,
    > Mine Altunay
    > 
    > Computer Eng Dept
    > NC State Univ
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]