This is a draft proposal for the xacml 1.1 work
item 'Fully specified hierarchial resources'.
Resource model specification separates resource
properties from the particular syntax used to express rules in the policy. In
particular, properties such as authorization propogation up or down resource
hierarchy are explicetly defined. Note that propogation is inherent property of
the resource hierarchy and is distinct from the syntactic
shortcuts.
In this proposal resource model is defined
for the policy and does not vary from rule to rule. For the motivation
behind this consider xml document use case. One can select abstract tree model
or dom model. These two models have different requirements and different
syntax.
There are several ways to specify resource
model.
The simpliest is to attach optional ResourceModel
attribute of the Policy element:
<xs:complexType
name="PolicyType">
...
<xs:attribute
name="ResourceModel" type="anyURI" use="optional"/>
</xs:complexType>
To make this more extensible we can define
<ResourceModel> element and make it an optional child of the
<Policy> element:
<xs:element name="ResourceModel"
type="xacml:ResourceModelType"/>
<xs:complexType
name="ResourceModelType">
<xs:attribute name="ModelURI"
type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType
name="PolicyType">
<xs:sequence>
<xs:element ref="xacml:ResourceModel" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
When resource model is not specified, flat resource
model is assumed.
Here are possible resource model
uri's:
urn:oasis:names:tc:xacml:resource-model:flat-resource
urn:oasis:names:tc:xacml:resource-model:abstract-tree
urn:oasis:names:tc:xacml:resource-model:ufs
urn:oasis:names:tc:xacml:resource-model:dom
urn:oasis:names:tc:xacml:resource-model:ldap
Resource model can specify permission propogations.
For example, 'search' permission on a directory in a file system requires
'search' permission on all ancestor directories up to the root. Resource model
can state that 'search' permission on a node propogates 'search' permission
on all ancestor nodes, unless overwritten by other rules. On the other hand,
'search' permission on the node in ldap directory does not require 'search'
permission all the way up to the root. (Root is not actually defined in this
case anyway). 'Read' permission on a node in the dom tree may propogate
'read' permission on descendant sub-tree, unless overwirtten by other
rules.
Propogation can be defined with the
<PropogationRule> element which is a child of <ResourceModel>
element:
<xs:element name="PropogationRule"
type="xacml:PropogationRuleType"/>
<xs:complexType
name="PropogationRuleType">
<xs:attribute name="Action"
type="xs:anyURI" use="required"/>
<xs:attribute
name="Direction" type="xacml:Direction"
use="required"/>
</xs:complexType>
Then resource model becomes:
<xs:complexType
name="ResourceModelType">
<xs:sequence>
<xs:element ref="PropogationRule"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="ModelURI"
type="xs:anyURI" use="required"/>
</xs:complexType>
We can call out standard resource models in the spec.
We can also tackle implication in this framework. For example, 'write'
permission on a file implies 'read' permission on the same.
<xs:element name="Implication"
type="xacml:ImplicationType"/>
<xs:complexType
name="ImplicationType">
<xs:attribute name="Action" type="xs:anyURI"
use="required"/>
<xs:attribute name="ImpliedAction" type="xs:anyURI"
use="required"/>
</xs:complexType>
Then resource model becomes:
<xs:complexType
name="ResourceModelType">
<xs:sequence>
<xs:element
ref="xacml:PropogationRule" minOccurs="0" maxOccurs="unbounded"/>
<xs:element
ref="xacml:Implication" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="ModelURI"
type="xs:anyURI" use="required"/>
</xs:complexType>
Simple example:
<ResourceModel
ModelURI="urn:oasis:names:tc:xacml:resource-model:abstract-tree">
<PropogationRule Action="search"
Direction="up"/>
<Implication Action="read"
ImpliedAction="search"/>
</ResourceModel>
Simon