OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

Multiple Decison Request Proposal

  • 1.  Multiple Decison Request Proposal

    Posted 01-14-2009 06:13
    Last Thursday I promised to propose a scheme asking for multiple decisions in a single request. It was agreed that a request could specify arbitrary combinations of attribute categories (with no duplicates), but that the actual attribute values would only be specified once. The scheme would not require the entire cross product of all combinations to be used, but rather specific combinations could be specified.
    
    After thinking about it for a bit, I concluded the following.
    
    1. I would propose a prefix of lists of items to be used in decisions as we previously discussed. This list uses references to XML Id Attributes to indicate which set of attributes to use.
    
    2. Since all categories could be specified (not just Resource and Action), it would be too confusing to allow for the cross product of the duplicate category types in each list to be specified. Instead I am proposing lists of exactly the attribute category values from which a virtual request context for each decision is constructed.
    
    3. The prior scheme of echoing back selected attribute values to correlate requests and responses would become too cumbersome and potentially ambiguous. Instead, I am proposing the an arbitrary string label on each decision list (specifically an XML attribute called CorrelationId) be used for this purpose.
    
    4. It seems to me that it might be a good idea to retain the Multi-Resource Profile in much the same form as in 2.0 and define a totally new Multi-Decision Profile using this scheme.
    
    Here is roughly how this new style of request would look.
    
    
    
    
    Let's discuss this on the call and then I can proceed to define Schema and text.
    
    Hal
    
    


  • 2.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-14-2009 14:49
    Hi Hal,
    
    I think this looks good.
    
    I think it is a good idea to separate this functionality from the old 
    multiple resource. I'm not sure if we need a separate document for it. A 
    separate chapter in the existing profile might be good enough. We 
    already have several modes of multiple requests there.
    
    I think the 


  • 3.  RE: [xacml] Multiple Decison Request Proposal

    Posted 01-14-2009 17:19
    [comments inline]
    
    > 


  • 4.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-14-2009 18:08
    Hi Hal,
    
    >> I think the 


  • 5.  RE: [xacml] Multiple Decison Request Proposal

    Posted 01-14-2009 18:26
    > >> I think the 


  • 6.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-15-2009 04:24
    
    
      
    
    
    Hi Hal and Erik,

    I agree w the overall thrust of this profile effort and I think Hal's original suggestion of having a prefix element, <DecisionLists>, conceptually is not inconsistent with the existing multi-resource profile, because in theory, I believe that the existing multi-resource profile violates the notion of a "simple core schema", because it already requires external pre-processing of the request in order to only pass one resource at a time to the PDP.

    This was an issue that caused me some problems understanding exactly what the "core schema" was, however, the discussion earlier with Erik, I think clarified that situation better, namely that each Attributes element in a "regular XACML request" must have a different Category; i.e. in a single XACML request to be processed by the rules in the core spec, there may not be more than one <Attributes> element with the same Attributes@Category xml attribute.

    As a result, this forces even the existing multi-resource profile into a "pre-processor" unspecified domain.

    The Subject Inconsistencies issue was related to this in that extending the multi-profile to include Subject as well as Action, Environment, and Resource, was problematic because Subject inherently had multiple Categories already, and for 2.0 that was ok, because there was no multi-subject and these subjects never got broken up. However, the 3.0 multi-profile breaks that, and as was discussed, maybe it's not all that bad if people understand it and choose how they want to do this.

    However, Hal's proposal, can easily include cross-products of arbitrary complexity by simply including multiple <ListReference> elements that point to <Attributes> elements with the same @Category. For example:

    <DecisionList CorrelationId="FirstDecision">
      <ListReference URI="Sub1"/> 
      <ListReference URI="Env"/>
      <ListReference URI="Res1"/>
      <ListReference URI="Res2"/>
      <ActionReference URI="Act1"/>
      <ActionReference URI="Act2"/>
    </DecisionList>
    would result in 4 requests issued to the pdp for (R1,A1), (R1,A2), (R2,A1), (R2,A2).
    This approach would contain everything for existing cross-product 2.0 and 3.0 profiles, as well as more specific pruning of the request lists w singleton <DecisionList> elements.

        Thanks,
        Rich



    Hal Lockhart wrote:
    I think the <Request> element should be called something else, and this
    could have its own schema. Maybe "<MultiRequest>"?
    
    
            
    <Request> is the existing outer element of a Request context. My notion
          
    is that <DecisionsLists> is an optional element which appears prior to the
    first <Attributes> element.
        
    Yes, but I thought that it would perhaps be better to not put this
    boxcarring stuff into the core schema, but in it's own schema. I think
    it would be neater if we have a "simple" core schema which defines the
    processing model. Additional preprocessing and transport formats would
    go into another schemas.
    
    But I don't feel too strongly about it, and importing schema files can
    be a bit of an annoyance to work with given the current state of XML
    parsers.
        
    
    First of all as I have said several times, I only see this feature as being important when a remote PDP is used. (In fact I don't think an imbedded PDP should be using an XML Request Context at all.)
    
    Given that, I have no strong preference for how we deal with the schemas. I would like to hear from implementers on this issue.
    
    Hal
    
    
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
    
      


  • 7.  RE: [xacml] Multiple Decison Request Proposal

    Posted 01-15-2009 14:31
    Rich's recent comment (which I agree with) drew my attention to a mistake I made in my original message.
    
    It was my intention that all the elements within 


  • 8.  RE: [xacml] Multiple Decison Request Proposal

    Posted 01-21-2009 19:22
    On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.
    
    I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.
    
    After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:
    
    AS=Jack Role=Nurse
    RS=Jill Role=Doctor
    Env
    Res
    Act
    
    AS=Jill Role=Doctor
    RS=Jack Role=Nurse
    Env
    Res
    Act
    
    Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)
    
    So if we add a name Attribute to the 


  • 9.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-22-2009 06:04
    Hi Hal,
    
    The IncludeInResult returns also the attribute category, so what you
    describe is not an issue. See the example below.
    
    Best regards,
    Erik
    
       2 
    
    
    Hal Lockhart wrote:
    > On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.
    >
    > I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.
    >
    > After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:
    >
    > AS=Jack Role=Nurse
    > RS=Jill Role=Doctor
    > Env
    > Res
    > Act
    >
    > AS=Jill Role=Doctor
    > RS=Jack Role=Nurse
    > Env
    > Res
    > Act
    >
    > Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)
    >
    > So if we add a name Attribute to the 


  • 10.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-22-2009 07:30
    
    
      
    
    
    Hi Erik,

    I still believe there is potential ambiguity if there are multiple Resource (or other) elements w same resource-id but different accompanying attributes. For example you might want to test what decisions come back based on varying sets of attrs accompanying the same resource-id.

    The point is that the combination of category and any contained attribute values is not guaranteed to be unique in a multi-request.

    I think the only way to guarantee uniqueness is to assign unique identifiers to each instance of an Attributes element with common CategoryId in a given request and return these identifiers in the response generated from the decision where the instance was used.

        Thanks,
        Rich


    Erik Rissanen wrote:
    49780C54.7050406@axiomatics.com" type="cite">
    Hi Hal,
    
    The IncludeInResult returns also the attribute category, so what you
    describe is not an issue. See the example below.
    
    Best regards,
    Erik
    
       2 <xacml-ctx:Response
    xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-06">
       3   <xacml-ctx:Result>
       4     <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
       5     <xacml-ctx:Attributes
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
       6       <xacml-ctx:Attribute
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    IncludeInResult="true">
       7         <xacml-ctx:AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/MargeSimpson</xacml-ctx:AttributeValue>
       8       </xacml-ctx:Attribute>
       9     </xacml-ctx:Attributes>
      10     <xacml-ctx:Status>
      11       <xacml-ctx:StatusCode
    Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
      12     </xacml-ctx:Status>
      13   </xacml-ctx:Result>
      14   <xacml-ctx:Result>
      15     <xacml-ctx:Decision>NotApplicable</xacml-ctx:Decision>
      16     <xacml-ctx:Attributes
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
      17       <xacml-ctx:Attribute
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    IncludeInResult="true">
      18         <xacml-ctx:AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/LisaSimpson</xacml-ctx:AttributeValue>
      19       </xacml-ctx:Attribute>
      20     </xacml-ctx:Attributes>
      21     <xacml-ctx:Status>
      22       <xacml-ctx:StatusCode
    Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
      23     </xacml-ctx:Status>
      24   </xacml-ctx:Result>
      25   <xacml-ctx:Result>
      26     <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
      27     <xacml-ctx:Attributes
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
      28       <xacml-ctx:Attribute
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    IncludeInResult="true">
      29         <xacml-ctx:AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/HomerSimpson</xacml-ctx:AttributeValue>
      30       </xacml-ctx:Attribute>
      31     </xacml-ctx:Attributes>
      32     <xacml-ctx:Status>
      33       <xacml-ctx:StatusCode
    Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
      34     </xacml-ctx:Status>
      35   </xacml-ctx:Result>
      36   <xacml-ctx:Result>
      37     <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
      38     <xacml-ctx:Attributes
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
      39       <xacml-ctx:Attribute
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    IncludeInResult="true">
      40         <xacml-ctx:AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
      41       </xacml-ctx:Attribute>
      42     </xacml-ctx:Attributes>
      43     <xacml-ctx:Status>
      44       <xacml-ctx:StatusCode
    Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
      45     </xacml-ctx:Status>
      46   </xacml-ctx:Result>
      47   <xacml-ctx:Result>
      48     <xacml-ctx:Decision>NotApplicable</xacml-ctx:Decision>
      49     <xacml-ctx:Attributes
    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
      50       <xacml-ctx:Attribute
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    IncludeInResult="true">
      51         <xacml-ctx:AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/MaggieSimpson</xacml-ctx:AttributeValue>
      52       </xacml-ctx:Attribute>
      53     </xacml-ctx:Attributes>
      54     <xacml-ctx:Status>
      55       <xacml-ctx:StatusCode
    Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
      56     </xacml-ctx:Status>
      57   </xacml-ctx:Result>
      58 </xacml-ctx:Response>
    
    
    Hal Lockhart wrote:
      
    On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.
    
    I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.
    
    After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:
    
    AS=Jack Role=Nurse
    RS=Jill Role=Doctor
    Env
    Res
    Act
    
    AS=Jill Role=Doctor
    RS=Jack Role=Nurse
    Env
    Res
    Act
    
    Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)
    
    So if we add a name Attribute to the <Attributes> elements, we must chose values like "Jack-AS", " Jack-RS", "Jill-AS", "Jill-RS", so we can distinguish the cases. I have also found a number of cases where technically there is no ambiguity in correlating the responses to the requests, but in practice the processing will be greatly simplified by using synthetic attributes with judiciously chosen values.
    
    My conclusion is that the scheme we agreed on during the meeting is workable, but we need to include text which discusses the issues concerning unambiguous and efficient correlation.
    
    Please tell me if my analysis is correct or if there are other problematic cases I have not considered.
    
    Hal
    
      
        


    Original Message----- From: Hal Lockhart [mailto:hal.lockhart@oracle.com] Sent: Wednesday, January 14, 2009 1:12 AM To: xacml@lists.oasis-open.org Subject: [xacml] Multiple Decison Request Proposal Last Thursday I promised to propose a scheme asking for multiple
    decisions
        
          
    in a single request. It was agreed that a request could specify
          
            
    arbitrary
        
          
    combinations of attribute categories (with no duplicates), but that the
    actual attribute values would only be specified once. The scheme would
          
            
    not
        
          
    require the entire cross product of all combinations to be used, but
    rather specific combinations could be specified.
    
    After thinking about it for a bit, I concluded the following.
    
    1. I would propose a prefix of lists of items to be used in decisions as
    we previously discussed. This list uses references to XML Id Attributes
          
            
    to
        
          
    indicate which set of attributes to use.
    
    2. Since all categories could be specified (not just Resource and
          
            
    Action),
        
          
    it would be too confusing to allow for the cross product of the
          
            
    duplicate
        
          
    category types in each list to be specified. Instead I am proposing
          
            
    lists
        
          
    of exactly the attribute category values from which a virtual request
    context for each decision is constructed.
    
    3. The prior scheme of echoing back selected attribute values to
          
            
    correlate
        
          
    requests and responses would become too cumbersome and potentially
    ambiguous. Instead, I am proposing the an arbitrary string label on each
    decision list (specifically an XML attribute called CorrelationId) be
          
            
    used
        
          
    for this purpose.
    
    4. It seems to me that it might be a good idea to retain the Multi-
    Resource Profile in much the same form as in 2.0 and define a totally
          
            
    new
        
          
    Multi-Decision Profile using this scheme.
    
    Here is roughly how this new style of request would look.
    
    
    <Request>
    
      <DecisionLists>
    
        <DecisionList CorrelationId="FirstDecision">
    
            <ListReference URI="Sub1"/>
    
            <ListReference URI="Env"/>
    
            <ListReference URI="Res1"/>
    
            <ActionReference URI="Act1"/>
    
    
        </DecisionList>
    
    
        <DecisionList CorrelationId="SecondDecision">
    
            <ListReference URI="Sub1"/>
    
            <ListReference URI="Sub2"/>
    
            <ListReference URI="Env"/>
    
            <ListReference URI="Res2"/>
    
            <ListReference URI="Act2"/>
    
        </DecisionList>
    
    
        <DecisionList CorrelationId="ThirdDecision">
    
            <ListReference URI="Sub3"/>
    
            <ListReference URI="Env"/>
    
            <ListReference URI="Res1"/>
    
            <ListReference URI="Act2"/>
    
        </DecisionList>
    
    
        <DecisionList ... >
        ...
    
        </DecisionList>
    
    
      </DecisionLists>
    
    
        <Attributes Category="Access_Subject" XML:Id="Sub1">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
        <Attributes Category="Intemediary_Subject" XML:Id="Sub2">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
    
        <Attributes Category="Intemediary_Subject" XML:Id="Sub3">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
       <Attributes Category="Environment" XML:Id="Env">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
        <Attributes Category="Resource" XML:Id="Res1">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
    
        <Attributes Category="Resource" XML:Id="Res2">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
        <Attributes Category="Action" XML:Id="Act1">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
        <Attributes Category="Action" XML:Id="Act2">
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
          <Attribute>
          ...
          </Attribute>
    
        </Attributes>
    
    
    ...
    
    
    </Request>
    
    Let's discuss this on the call and then I can proceed to define Schema
          
            
    and
        
          
    text.
    
    Hal
    
    
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    
          
            
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    
        
          
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
    
      
        
    
    
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
    
      


  • 11.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-22-2009 08:43
    Hi Rich,
    
    Yes, but this is where we discussed the "artificial" attributes. Like this:
    
    
    
    It should work, though it's more verbose than using an id for the 
    attributes element. It's also more general, but I'm not sure what that 
    is worth.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > Hi Erik,
    >
    > I still believe there is potential ambiguity if there are multiple 
    > Resource (or other) elements w same resource-id but different 
    > accompanying attributes. For example you might want to test what 
    > decisions come back based on varying sets of attrs accompanying the 
    > same resource-id.
    >
    > The point is that the combination of category and any contained 
    > attribute values is not guaranteed to be unique in a multi-request.
    >
    > I think the only way to guarantee uniqueness is to assign unique 
    > identifiers to each instance of an Attributes element with common 
    > CategoryId in a given request and return these identifiers in the 
    > response generated from the decision where the instance was used.
    >
    >     Thanks,
    >     Rich
    >
    >
    > Erik Rissanen wrote:
    >> Hi Hal,
    >>
    >> The IncludeInResult returns also the attribute category, so what you
    >> describe is not an issue. See the example below.
    >>
    >> Best regards,
    >> Erik
    >>
    >>    2 
    >>
    >>
    >> Hal Lockhart wrote:
    >>   
    >>> On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.
    >>>
    >>> I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.
    >>>
    >>> After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:
    >>>
    >>> AS=Jack Role=Nurse
    >>> RS=Jill Role=Doctor
    >>> Env
    >>> Res
    >>> Act
    >>>
    >>> AS=Jill Role=Doctor
    >>> RS=Jack Role=Nurse
    >>> Env
    >>> Res
    >>> Act
    >>>
    >>> Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)
    >>>
    >>> So if we add a name Attribute to the 


  • 12.  RE: [xacml] Multiple Decison Request Proposal

    Posted 01-22-2009 21:06
    As of today's meeting I believe we are down to deciding how to do correlation. The alternative previously proposed is to use the IncludeInResponse mechanism. This may involve submitting synthetic attributes, not referenced by policy, simply to correlate requests and decisions.
    
    The new idea (at least to me) is to move my previously proposed XML Attribute - CorrelationID - to the 


  • 13.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-23-2009 09:07
    Hi Hal,
    
    I just realized that the CorrelationId will not work, and we need the 
    IncludeInResult.
    
    The existing 2.0 multiple resource profile defines a few more modes of 
    multiple requests than multiple 


  • 14.  Re: [xacml] Multiple Decison Request Proposal

    Posted 01-24-2009 04:21
    
    
      
    
    
    Hi Erik, Hal, and TC,

    There have been a lot of emails on this issue so far, but I think we are at the point where all the ambiguities and potential missing pieces have been accounted for, so I will try to summarize where I think the proposal currently stands.

    First of all here are some reference emails that have examples that show different aspects of the proposed solution:
    Based on the analysis that has been done, I have a few recommendations that, at least to me, appear to be important enough to itemize as suggestions for the specifications.

    For the 3.0 Core spec:
    1. It became inferentially apparent that a fundamental "rule" is that a Request context that is processed by the PDP must have at most 1 <Attributes> element with a specific Category. I recommend that this be explicitly stated in section 5.35 in the description of the <Attributes> [One to Many] element. What is there now is not unambiguous in this regard, and I recommend it be tightened up.
    2. Similarly, I think explicit text should be in Section 5.37 for the Category [Required] description. i.e. specify that while multiple <Attributes> elements with the same Category are allowed in the Request element, that for the purpose of making an authorization decision, only one <Attributes> element per Category is allowed.
    3. Section 5.39 under explanation of IncludeInResult [Default false] I recommend that when included in Result the Attribute will be parented by its <Attributes w @Category> element. Also if multiple <Attribute> elements within one Category are tagged, then they will share the parent.
    4. Section 5.41 under explanation of <Attributes> element, I recommend that it be explicitly stated that there will be one <Attributes> element for each @Category in the Request that contained an @IncludeInResult.
    For the 3.0 Multi-Decision spec:

    1. I recommend that at least for the multi-Attributes @Category mechanism that a clear explanation be included that without DecisionLists, that there is an inferential n-dimensional cross-product applied, where n is the number of @Categories that  have multiple <Attributes> elements within the Request. So, for example if there are 3 Category attrs, say cat1, cat2, cat3 that occur in multiple <Attributes> elements, for example let's say there are 4 <Attributes> elements w cat1, 4 with cat2, and 3 w cat3, then there will inferentially be 4x4x3 = 48 individual Requests generated to the PDP, each of which will have a Result element in the Response. It would also be worth noting that if there are additional single element Category attrs, say cat4, cat5, and cat6, that the <Attributes> element for each of those Category attrs will be evaluated in all 48 decisions. i.e. all 48 decisions will be based on cat1,cat2,cat3,cat4,cat5,cat6, where 4,5,6 remain constant thru the process and 1,2,3 are incremented as if to visit every cell in a 4x4x3 3-dimensional matrix in this particular example.
    2. I recommend that the DecisionLists mechanism be introduced as an augmentation to the n-dimesional matrix in 1 above. i.e. given the 48 decisions above, I think that DecisionLists can be used to pare down the list so that the full n-dimensional cross product does not get evaluated. i.e. The DecisionLists would override the inferential processing if they were present.
      • For example, if we really didn't want the 4x4 portion above but were really interested in 2 2x2 portions, there could be 2 DecisionLists up front that contained the following elements:
        • cat11,cat12,cat21,cat22,cat31,cat32,cat33,cat4,cat5,cat6
        • cat33,cat34,cat43,cat44,cat31,cat32,cat33,cat4,cat5,cat6
      • Each of the above DecisionLists would produce 2x2x3 = 12 results for a total of 24 results.
      • i.e. the suggestion is that the presence of DecisionLists simply override the inferential multiple effect of the <Attributes> elements themselves and transfer the inferential effect to the multiple category instances w same category to within each list.
      • i.e. the presence of the DecisionLists would effectively say: regard the actual <Attributes> elements as a pool of referencable entities and process the request as if multiple Request elements had come in with <Attributes> elements listed in the DecisionList, and process inferentially on that basis. Everything would be returned in a single response.
    3. The only lingering "annoyance" is that the DecisionLists address the <Attributes> elements by the xml:id, whereas within the inferential processing we need to reference for correlation purposes based on an internal IncludeInResult attribute. This is not a show-stopper of any sort, but it does appear that there are 2 mechanisms effectively used to identify the same <Attributes> element. A couple of considerations:
      • It would seem that xml:id for <Attributes> elements that only had a single instance is more than is needed since one could theoretically simply identify these single instance elements by identifying their Category value.
      • It seems that what's needed for the DecisionLists that are going to use multiple <Attributes> elements with the same Category is something within the <Attributes> element that distinguishes it from the other <Attributes> elements of the same Category. This seems to be deja vu all over again (sic) wrt the analysis that left us with the "synthetic attributes" as the ultimate decider for those cases where nothing else would work
        http://lists.oasis-open.org/archives/xacml/200901/msg00049.html
      • Therefore, I am tentatively suggesting that a usable alternative to URI,xml:id might be @Category.value(index), where "index" would be the value of a synthetic attribute within the <Attributes @Category> element with AttributeId="...multiple-request:unique-id".
    I believe everything above, is essentially pretty much identifying what has already been decided and putting it all in one place, at least wrt 3.0 Core spec, plus I think that comment 1 for multi-decision is simply stating what has already been agreed, comment 2 is some clarification on how DecisionLists could be viewed and used, and comment 3 admittedly is something "new" to address what appears to me to be a lingering "rough spot" in what has been decided so far.

    Comments and suggestions are welcome.

        Thanks,
        Rich


    Erik Rissanen wrote:
    497988C9.3060000@axiomatics.com" type="cite">Hi Hal,

    I just realized that the CorrelationId will not work, and we need the IncludeInResult.

    The existing 2.0 multiple resource profile defines a few more modes of multiple requests than multiple <Resource> elements. For instance, it is possible to specify multiple request in the form of an xpath expression on the <ResourceContent>, where each node the xpath matches will generate an individual request. Like this for instance:

      2 <Request
      3       xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
      4       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      5       xmlns:md="http://www.medico.com/schemas/record"
      6       xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
      7       xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
      8         access_control-xacml-2.0-context-schema-os.xsd">
      9     <Subject>
     10         <Attribute
     11               AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
     12               DataType="http://www.w3.org/2001/XMLSchema#string">
     13             <AttributeValue>Julius Hibbert</AttributeValue>
     14         </Attribute>
     15     </Subject>
     16     <Resource>
     17         <ResourceContent>
     18                 <md:record>
     19                 <md:patient_info>
     20                     <md:name>Bart Simpson</md:name>
     21                     <md:age>60</md:age>
     22                     <md:sex>male</md:sex>
     23                     <md:health_insurance>123456</md:health_insurance>
     24                 </md:patient_info>
     25                 <md:diagnosis_info>
     26                     <md:diagnosis>
     27                         <md:item type="primary">Gastric Cancer</md:item>
     28                         <md:item type="secondary">Hyper tension</md:item>
     29                     </md:diagnosis>
     30                     <md:pathological_diagnosis>
     31                         <md:diagnosis>
     32                             <md:item type="primary">Well differentiated adeno carcinoma</md:item>
     33                         </md:diagnosis>
     34                         <md:date>2000-10-05</md:date>
     35                         <md:malignancy type="yes"/>
     36                     </md:pathological_diagnosis>
     37                 </md:diagnosis_info>                38             </md:record>
     39         </ResourceContent>
     40         <Attribute\r
     41               AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
     42               DataType="http://www.w3.org/2001/XMLSchema#string">
     43             <AttributeValue>*[local-name()='Resource'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='ResourceContent'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='record'][namespace-uri()='http://www.medico.com/schemas/record']/*[local-name()='patient_info'][namespace-uri()='http://www.medico.com/schemas/record']/*[self::*[local-name()='name'][namespace-uri()='http://www.medico.com/schemas/record'] or self::*[local-name()='age'][namespace-uri()='http://www.medico.com/schemas/record']]/descendant-or-self::node()</AttributeValue>
     44         </Attribute>
     45         <Attribute
     46               AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope"
     47               DataType="http://www.w3.org/2001/XMLSchema#string">
     48             <AttributeValue>XPath-expression</AttributeValue>
     49         </Attribute>
     50     </Resource>
     51     <Action>
     52         <Attribute
     53               AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
     54               DataType="http://www.w3.org/2001/XMLSchema#string">
     55             <AttributeValue>read</AttributeValue>
     56         </Attribute>
     57     </Action><Environment/></Request>

    From this request there will be multiple results, but there is only one <Resource> element. Each result will contain a specific ResourceId XML attribute for correlation purposes.

    In the corresponding 3.0 multiple request, it will be necessary to use the IncludeInResult since there are not multiple Attribute elements, which could be used for correlation, even if they had a CorrelationId.

    So I think we should drop the CorrelationId proposal, and if necessary, people will have to use a synthetic XACML attribute for correlation.

    Best regards,
    Erik


    Hal Lockhart wrote:
    As of today's meeting I believe we are down to deciding how to do correlation. The alternative previously proposed is to use the IncludeInResponse mechanism. This may involve submitting synthetic attributes, not referenced by policy, simply to correlate requests and decisions.

    The new idea (at least to me) is to move my previously proposed XML Attribute - CorrelationID - to the <Attributes> element instead of having it in the <DecisionList> element.

    This seems clearer to me, but others should express their opinions. The new scheme would look something like this:

    <Request>

      <DecisionLists>

        <DecisionList>

            <ListReference URI="Sub1"/>

            <ListReference URI="Env"/>

            <ListReference URI="Res1"/>

            <ListReference URI="Act1"/>


        </DecisionList>


        <DecisionList>

            <ListReference URI="Sub1"/>

            <ListReference URI="Sub2"/>

            <ListReference URI="Env"/>

            <ListReference URI="Res2"/>

            <ListReference URI="Act2"/>

        </DecisionList>


        <DecisionList>

            <ListReference URI="Sub3"/>

            <ListReference URI="Env"/>

            <ListReference URI="Res1"/>

            <ListReference URI="Act2"/>

        </DecisionList>


        <DecisionList ... >
        ...

        </DecisionList>


      </DecisionLists>


        <Attributes Category="Access_Subject" XML:Id="Sub1" CorrelationId="FirstSubject">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>

        <Attributes Category="Intemediary_Subject" XML:Id="Sub2" CorrelationId="SecondSubject">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>


        <Attributes Category="Intemediary_Subject" XML:Id="Sub3" CorrelationId="ThirdSubject">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>

       <Attributes Category="Environment" XML:Id="Env">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>

        <Attributes Category="Resource" XML:Id="Res1" CorrelationId="FirstResource">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>


        <Attributes Category="Resource" XML:Id="Res2" CorrelationId="Secondresource">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>

        <Attributes Category="Action" XML:Id="Act1" CorrelationId="FirstAction">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>

        <Attributes Category="Action" XML:Id="Act2" CorrelationId="SecondAction">

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

          <Attribute>
          ...
          </Attribute>

        </Attributes>


    ...


    </Request>


    Hal


    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
     


    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 15.  Re: [xacml] Multiple Decison Request Proposal