OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Passing parameters to the attribute designator

    Posted 06-20-2008 07:25
    
    
    
    
    
    I believe there must be a case when the context handler must be given additional information to retrieve an attribute when using attribute designators. This additional information may be kept within the policies that reference the designator and will serve as parameters to the evaluation procedure of the designator. Naturally, this applies to only those cases when the attribute referenced is not actually present in the request context as XACMLv2.0 specification mentions how the referenced attributes must be matched when present in the request context.
     
    This additional context passed to the handler can be a property list/name-value pairs as the combiner parameters.
     
    Thoughts ?
     
    Regards,
    Anil


  • 2.  RE: [xacml] Passing parameters to the attribute designator

    Posted 07-04-2008 14:00
    
    
    
    
    
    More thoughts on this issue -
     
    If say, one had a user based policy, i.e., a policy set with the subject-id in the request matching so and so, stating that -
     
                               if 'user-location equals NY' then allow
     
    where 'user-location' is an attribute external to the request context and can be queried from the database as -
     
                               SELECT USER_LOCATION FROM LOCATION_MASTER WHERE USER_TYPE=?
     
    A context handler, in this case capable of executing DB queries, must be passed the USER_TYPE parameter that may not exist in the request context.
     
    This parameter may be kept with the policy or it is left to the context handler to figure how to obtain the user-location attribute given the information in the request context. In EPM (Cisco Enterprise Policy Manager), the former is possible, and ofcourse is part of the holistic solution to managing user/group/role(s) and policies. The notion of a context handler per se does not exist in EPM.
     
    Essentially, the point boils down to how one may view the SQL query, if it should be treated as part of the policy definition or otherwise. If it should be, then in my view, it begs for extensibility of the AttributeDesignator type in XACML by large. If it should not be, even then I believe there may still be a case to pass higher level metadata to the context handler, like the JDBC connection information.
     
    Regards,
    Anil


    From: Anil Tappetla (atappetl)
    Sent: Friday, June 20, 2008 12:46 PM
    To: xacml@lists.oasis-open.org
    Subject: [xacml] Passing parameters to the attribute designator

    I believe there must be a case when the context handler must be given additional information to retrieve an attribute when using attribute designators. This additional information may be kept within the policies that reference the designator and will serve as parameters to the evaluation procedure of the designator. Naturally, this applies to only those cases when the attribute referenced is not actually present in the request context as XACMLv2.0 specification mentions how the referenced attributes must be matched when present in the request context.
     
    This additional context passed to the handler can be a property list/name-value pairs as the combiner parameters.
     
    Thoughts ?
     
    Regards,
    Anil


  • 3.  Re: [xacml] Passing parameters to the attribute designator

    Posted 07-04-2008 14:21
    Anil and all,
    
    This issue falls under the broader issue of attribute provisioning, 
    which I think is very important and currently somewhat underspecified in 
    the XACML world. But this is much because by design XACML chose to 
    abstract away this kind of details. This kind of abstraction makes XACML 
    more generally applicable and adaptable to different environments and 
    growth over time.
    
    I think that the XACML context handler abstraction is a Good Thing and 
    that parameters such as keys for SQL queries or parameters of database 
    connections in a particular implementation do not belong in XACML 
    policies. Putting such parameters in the policy would break 
    interoperability between implementations.
    
    I think that the particular use case you propose is better handled as 
    part of the configuration of a particular context handler 
    implementation. The attribute id should be all that is in the policy. 
    How to look up the attribute is part of the configuration of the 
    implementation.
    
    If a more general solution is desired, I think it would be more 
    appropriate to do work on standardization on context handlers and their 
    configuration for widely used environments. Rich has raised these issues 
    in the TC and I am looking forward to pursue them once the XACML 3.0 
    core schema is "done". (Though I am not sure if this TC is always the 
    best place for such work.)
    
    So I am opposed to the proposed change in the XACML schema.
    
    Best regards,
    Erik
    
    Anil Tappetla (atappetl) wrote:
    > More thoughts on this issue -
    >  
    > If say, one had a user based policy, i.e., a policy set with the 
    > subject-id in the request matching so and so, stating that -
    >  
    >                            if 'user-location equals NY' then allow
    >  
    > where 'user-location' is an attribute external to the request context 
    > and can be queried from the database as -
    >  
    >                            SELECT USER_LOCATION FROM LOCATION_MASTER 
    > WHERE USER_TYPE=?
    >  
    > A context handler, in this case capable of executing DB queries, must 
    > be passed the USER_TYPE parameter that may not exist in the request 
    > context.
    >  
    > This parameter may be kept with the policy or it is left to the 
    > context handler to figure how to obtain the user-location attribute 
    > given the information in the request context. In EPM (Cisco Enterprise 
    > Policy Manager), the former is possible, and ofcourse is part of the 
    > holistic solution to managing user/group/role(s) and policies. The 
    > notion of a context handler per se does not exist in EPM.
    >  
    > Essentially, the point boils down to how one may view the SQL query, 
    > if it should be treated as part of the policy definition or otherwise. 
    > If it should be, then in my view, it begs for extensibility of the 
    > AttributeDesignator type in XACML by large. If it should not be, even 
    > then I believe there may still be a case to pass higher level metadata 
    > to the context handler, like the JDBC connection information.
    >  
    > Regards,
    > Anil
    >
    > ------------------------------------------------------------------------
    > *From:* Anil Tappetla (atappetl)
    > *Sent:* Friday, June 20, 2008 12:46 PM
    > *To:* xacml@lists.oasis-open.org
    > *Subject:* [xacml] Passing parameters to the attribute designator
    >
    > I believe there must be a case when the context handler must be given 
    > additional information to retrieve an attribute when using attribute 
    > designators. This additional information may be kept within the 
    > policies that reference the designator and will serve as parameters to 
    > the evaluation procedure of the designator. Naturally, this applies to 
    > only those cases when the attribute referenced is not actually present 
    > in the request context as XACMLv2.0 specification mentions how 
    > the referenced attributes must be matched when present in the request 
    > context.
    >  
    > This additional context passed to the handler can be a property 
    > list/name-value pairs as the combiner parameters.
    >  
    > Thoughts ?
    >  
    > Regards,
    > Anil
    
    


  • 4.  Re: [xacml] Passing parameters to the attribute designator

    Posted 07-04-2008 15:42
    Erik Rissanen wrote:
    > This issue falls under the broader issue of attribute provisioning, 
    > which I think is very important and currently somewhat underspecified in 
    > the XACML world. But this is much because by design XACML chose to 
    > abstract away this kind of details. This kind of abstraction makes XACML 
    > more generally applicable and adaptable to different environments and 
    > growth over time.
    > [...]
    > So I am opposed to the proposed change in the XACML schema.
    
    For what it's worth I agree with Erik here. This issue has actually come 
    up a couple of times before. As I recall, the last time was when Anne 
    and I were looking at some related issues, and she decided to take a 
    stab at starting to define some basic provisioning configuration. As it 
    (quickly) grew very complex, I was of the opinion that this is something 
    best configured separately, rather than trying to wedge it into the 
    already somewhat verbose policies.
    
    I think the main issue in my mind boils down to how people are likely to 
    use his feature. I have not yet come across any real-world scenarios 
    where people want to define different configuration within the same 
    policy for various Designators. This is the only strong argument I can 
    think of for including configuration in the policy itself. As long as 
    configuration is defined per-policy or, more likely, per-PDP, then doing 
    the configuration separately seems like a much cleaner approach.
    
    
    seth
    


  • 5.  RE: [xacml] Passing parameters to the attribute designator

    Posted 07-07-2008 15:30
    Let me re-project the problem after going through the responses, I
    wonder if it still interests the TC.
    
    I accept the point that the attribute identifier on the designator
    should be all that the context handler must use but it looks like there
    are cases where mapping attributes to queries is after all not problem
    free. An example being the query - get top n-elements from the stack,
    where 'n' is a variable. Policies may have to be written with 'n'
    hardcoded within to avoid a surplus of attribute identifiers to deal
    with.
    
    I assume the context handler remains unaware of the policies the PDP is
    evaluating and only serves callbacks from the PDP for attributes, and
    therefore do not think an additional context that maps the policy to 'n'
    would be available to the handler.
    
    Regards,
    Anil
    
    


  • 6.  RE: [xacml] Passing parameters to the attribute designator

    Posted 07-08-2008 04:14
    Hi Anil,
    
    Would a custom function be a better approach where parameters are needed?
    
    Regards,
    Craig
    
    ---------------------------------------------------------------
    Craig Forster
    Software Engineer
    IBM Australia Development Labs
    Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
    Blog == http://blogs.tap.ibm.com/weblogs/craigforster/
    ---------------------------------------------------------------
    
    
                                                                                                                                     
      From:       "Anil Tappetla (atappetl)" 


  • 7.  RE: [xacml] Passing parameters to the attribute designator

    Posted 07-09-2008 11:19
    Craig,
    
      the designator is a "function" by itself, only that it does not take
    parameters (I do not know why it should not) in the same manner as
    regular functions but involves the context handler. It is the context
    handler that communicates with PIPs for attributes and not the PDP,
    therefore, functions used in place of designators, which are matter of
    factedly executed by the PDP may not serve the desired purpose. However,
    I might agree with you nonetheless assuming that there are no
    constraints imposed by the specification in not having the PDP talk to
    the PIP.      
    
    Regards,
    Anil 
    
    


  • 8.  Re: [xacml] Passing parameters to the attribute designator

    Posted 07-04-2008 16:15
    Anil,
    
    it would be better to expose the broader use-case you are interested in 
    here. My guess is that it has something to do with enterprise 
    infra-structure or the policy creation or administration model or the 
    way resource meta-data is stored. A more general formulation focusing on 
    the use-case would get more attention within the TC.
    
    The original XACML use-case tends to focus only a "pure" policy language 
    and rules for its execution. This makes sense as the main concern was an 
    interoperable policy language. But there are much broader use-cases that 
    need to be dealt with before XACML can have a larger practical impact...
    
    - prateek
    > I believe there must be a case when the context handler must be given 
    > additional information to retrieve an attribute when using attribute 
    > designators. This additional information may be kept within the 
    > policies that reference the designator and will serve as parameters to 
    > the evaluation procedure of the designator. Naturally, this applies to 
    > only those cases when the attribute referenced is not actually present 
    > in the request context as XACMLv2.0 specification mentions how 
    > the referenced attributes must be matched when present in the request 
    > context.
    >  
    > This additional context passed to the handler can be a property 
    > list/name-value pairs as the combiner parameters.
    >  
    > Thoughts ?
    >  
    > Regards,
    > Anil