OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Re: [xacml] Attribute Assertions in XACML request

    Posted 11-04-2010 03:08
    
    
    
    
    Hi All,
    I am posting this message on behalf of Greg Neven, as he has been experiencing some
    difficulty getting properly registered to post email to XACML TC.
    This message is relevant to the ongoing discussions from Greg's pres at last meeting,
    which will continue as subject of discussion tomorrow.
      Rich




  • 2.  Re: [xacml] Attribute Assertions in XACML request

    Posted 11-22-2010 02:46
    
    
      
    
    
    Hi Greg,

    I am not sure if you got the email issues straightened out, but in order to
    help move the thread along, I'll just include your direct email address.

    I went over your slide presentation again, and I am trying, in particular,
    to understand the xacml part of the issue as opposed to the saml part.

    On slide 17, you indicate a preference short term for approach 2, which
    I think sounds similar to the approach I would also recommend.

    You characterize it as:
    • Policy in terms of dedicated, locally defined boolean attributes.
    • PIP or PEP knows mapping to conditions over globally defined attributes
      e.g., urn:mypolicy:underage -> (urn:unitednations:birthdate <= 1992/09/10)
    • Values of local attributes passed in request context
    • Missing local attribute -> request corresponding condition over global attrs
    The way I look at situations like this, where information is need from an outside
    provider, is to define an attribute in the Policy that is known not to be included
    in the RequestContext, and has MustBePresent set, which will force the Policy
    to raise an Indeterminate condition, which can either be sent back to the PEP
    as MissingAttribute, or be intercepted during evaluation with a callout to the
    ContextHandler as is done in the SunXacml reference implementation.

    In the case at hand, I would have a condition that says:
      <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
          <SubjectAttributeDesignator
                AttributeId="urn:mypolicy:underage"
                DataType="http://www.w3.org/2001/XMLSchema#boolean"
                Issuer="trusted-authority" />
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
      </Condition>
    I think the above is correct, but, in any event, what it is attempting to say is
    that:
    For the Condition to be true:
      Look for an Attribute with AttributeId="urn:mypolicy:underage"
      And the value of this Attribute must be true (which I assume means the user is not underage)
    In general, this attribute would not be found in the RequestContext, so a callback would
    be initiated to try to find it. Given the name of the Issuer (="trusted-authority") the attr finder
    would know where to go with the request, which would be something like:
    Request attribute "global:underage" for user="xxx",
    which would return either true or false for user "xxx",
    which the attribute finder would return to the ContextHandler and policy evaluation,
    which could then be compared to the required value of "true".
    So, my question is: is this along the lines that you were thinking with Approach 2, and
    if so, then what more is needed, as I think this approach can be quite flexible for addressing
    this type of problem.

        Thanks,
        Rich




    Rich.Levinson wrote:
    4CD223A9.8040201@oracle.com" type="cite">Hi All,
    I am posting this message on behalf of Greg Neven, as he has been experiencing some
    difficulty getting properly registered to post email to XACML TC.
    This message is relevant to the ongoing discussions from Greg's pres at last meeting,
    which will continue as subject of discussion tomorrow.
      Rich




  • 3.  Re: [xacml] Attribute Assertions in XACML request

    Posted 11-24-2010 18:53
    
      
        
      
      
        Dear Rich,

    The scenario described is exactly what we had in mind for the simple solution. We are currently having a couple more internal discussions, but will post the promised details on the open issues tomorrow.

    You already touched on the main open issue, however:  it actually isn't quite clear to me to what extent the communication format for the "callout to the ContextHandler" for missing attributes is standardized, and if it is standardized, whether the format needs to be changed to support our use case.

    Best regards,
    Greg

    4CE9D913.9070308@oracle.com" type="cite"> Hi Greg,

    I am not sure if you got the email issues straightened out, but in order to
    help move the thread along, I'll just include your direct email address.

    I went over your slide presentation again, and I am trying, in particular,
    to understand the xacml part of the issue as opposed to the saml part.

    On slide 17, you indicate a preference short term for approach 2, which
    I think sounds similar to the approach I would also recommend.

    You characterize it as:
    • Policy in terms of dedicated, locally defined boolean attributes.
    • PIP or PEP knows mapping to conditions over globally defined attributes
      e.g., urn:mypolicy:underage -> (urn:unitednations:birthdate <= 1992/09/10)
    • Values of local attributes passed in request context
    • Missing local attribute -> request corresponding condition over global attrs
    The way I look at situations like this, where information is need from an outside
    provider, is to define an attribute in the Policy that is known not to be included
    in the RequestContext, and has MustBePresent set, which will force the Policy
    to raise an Indeterminate condition, which can either be sent back to the PEP
    as MissingAttribute, or be intercepted during evaluation with a callout to the
    ContextHandler as is done in the SunXacml reference implementation.

    In the case at hand, I would have a condition that says:
      <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
          <SubjectAttributeDesignator
                AttributeId="urn:mypolicy:underage"
                DataType="http://www.w3.org/2001/XMLSchema#boolean"
                Issuer="trusted-authority" />
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
      </Condition>
    I think the above is correct, but, in any event, what it is attempting to say is
    that:
    For the Condition to be true:
      Look for an Attribute with AttributeId="urn:mypolicy:underage"
      And the value of this Attribute must be true (which I assume means the user is not underage)
    In general, this attribute would not be found in the RequestContext, so a callback would
    be initiated to try to find it. Given the name of the Issuer (="trusted-authority") the attr finder
    would know where to go with the request, which would be something like:
    Request attribute "global:underage" for user="xxx",
    which would return either true or false for user "xxx",
    which the attribute finder would return to the ContextHandler and policy evaluation,
    which could then be compared to the required value of "true".
    So, my question is: is this along the lines that you were thinking with Approach 2, and
    if so, then what more is needed, as I think this approach can be quite flexible for addressing
    this type of problem.

        Thanks,
        Rich




    Rich.Levinson wrote:
    4CD223A9.8040201@oracle.com" type="cite">Hi All,
    I am posting this message on behalf of Greg Neven, as he has been experiencing some
    difficulty getting properly registered to post email to XACML TC.
    This message is relevant to the ongoing discussions from Greg's pres at last meeting,
    which will continue as subject of discussion tomorrow.
      Rich