OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  FW: some little questions

    Posted 07-16-2009 14:20
      |   view attached

    Attachment(s)



  • 2.  RE: [xacml] FW: some little questions

    Posted 07-16-2009 15:38
    
    
    
    
    
    
    
    Perhaps I gave the wrong impression about protecting a policy repository.
     
    During the discussons which led to XACML 3.0 it was pointed out that with XACML 2.0 (or any version really) you can protect operations such as CRUD on a repository. However this approach would not let you control the scope of capabilities of a person editing policies.
     
    I suppose we could have consider using XPATH functions to introspect policy contents, but I think the result would have made it very hard to understand the intent of administrative policies.
     
    For whatever reasons this approach was not seriously considered and instead we chose the scheme you see in the Admin Profile.
     
    Influenced by the requirement to be allowed to provide policies along with the request, we formulated Reduction as a policy decision time process instead of an administration time process. Since the current scheme allows access policies and their enabling administrative polices to reference distinct attributes, there is no good way to determine if an access policy is in force, except in the context of a particular decision.
     
    Hal

     


  • 3.  Re: [xacml] FW: some little questions

    Posted 07-17-2009 08:46
    Jan,
    
    I was involved in the design of the administration profile. It is as Hal 
    says that it is difficult to provide access control using XACML/CRUD if 
    one wants to restrict the scope of administrative rights. It might be 
    possible to implement XACML/CRUD, but I have found it to be difficult 
    understand the safety of these kind of models. Academic research has 
    shown that many (most?) protection models are undecidable. It would be 
    an interesting research question to study whether it would be possible 
    to design an XACML/CRUD model with certain limitations which makes it safe.
    
    And the main reason why reduction is an policy decision time process 
    instead of a administration time process is that in general it is very 
    difficult to implement comparison of two XACML policies to implement the 
    restriction of policy scope feature. With an administration time process 
    it would be necessary to compare two XACML policies to check whether one 
    of them is a subset of another in their scope. At decision time it is a 
    simple matter of simply evaluating both policies and checking that they 
    both say permit, by which the end result is that administrative scope is 
    restricted.
    
    In some cases the delegation model might be overkill. If you have a 
    bunch of trusted administrators who should be allowed to do anything, it 
    could be simpler to use XACML or any simple access control list to 
    control access there.
    
    Another simple approach to separate administrative scope is to use 
    entirely separate PDP instances which are used for different resources.
    
    Best regards,
    Erik
    
    
    
    Harold Lockhart wrote:
    > Perhaps I gave the wrong impression about protecting a policy repository.
    >  
    > During the discussons which led to XACML 3.0 it was pointed out that 
    > with XACML 2.0 (or any version really) you can protect operations such 
    > as CRUD on a repository. However this approach would not let you 
    > control the scope of capabilities of a person editing policies.
    >  
    > I suppose we could have consider using XPATH functions to introspect 
    > policy contents, but I think the result would have made it very hard 
    > to understand the intent of administrative policies.
    >  
    > For whatever reasons this approach was not seriously considered and 
    > instead we chose the scheme you see in the Admin Profile.
    >  
    > Influenced by the requirement to be allowed to provide policies along 
    > with the request, we formulated Reduction as a policy decision time 
    > process instead of an administration time process. Since the current 
    > scheme allows access policies and their enabling administrative 
    > polices to reference distinct attributes, there is no good way to 
    > determine if an access policy is in force, except in the context of a 
    > particular decision.
    >  
    > Hal
    >
    >