Hi Paul, I tried to bring that out in the example I gave, which had 2 independent hierarchies, where the policy on one hierarchy said yes, and the other said no. The resolution was that the authorities at the top of the two hierarchies would have to meet and sort things out, which could be done by an obligation initiating some kind of workflow. There will always be cases where the policy designers are not able to provide a definitive resolution. The idea is to design policies to capture those cases where the resolutions are well-defined, and to provide notification to authorities of conflicts that have to be resolved, because the policies do not cover the situation. The top level policyset would evolve with time as the preferred solutions became better understood by the human resolution of the conflict the first few times the conflict occurred, which could then be codified in attributes and automated as appropriate. Thanks, Rich On 6/20/2011 12:01 PM, Tyson, Paul H wrote:
3898C40CCD069D4F91FCD69C9EFBF096066F95A2@txamashur004.ent.textron.com type= cite > I’m open to evidence that would change my mind, but I don’t believe there’s an IT solution for confusion, disagreement, and anarchy among rule-makers. If all the rule-makers in the enterprise wrote their rules in XACML, and if they used a common set of attributes, then you can perform static analysis on the policies to detect possible conflicts. But those conflicts will have to be resolved by business people, not by programmers or IT architects. David hinted that he had a use case that might demonstrate the deficiency of the existing policy-combining feature of XACML, so I will wait to see the details of that scenario. Regards, --Paul From: rich levinson [ mailto:
rich.levinson@oracle.com ] Sent: Monday, June 20, 2011 10:40 To:
xacml@lists.oasis-open.org Subject: Re: [xacml] F2F Agenda Topics Hi Martin, I agree with your characterization of this use case as an essential capability. As David described it: In an enterprise, policy admin is usually distributed among different organizational units, ranging from small workgroups to the corporate level. For a given decision request, there may be multiple applicable policies that are created by different admin authorities. These policies may not know the existence of each other, and may not be encapsulated in a single policyset. We need a broader model for combining algm to resolve conflict in this case. I submit that the XACML 3.0 Hierarchical Profile has been restructured such that such use cases are the expected practice. Namely, that multiple hierarchies can be defined over a common set of resources. Once the hierarchies are independently defined, then the only issue left is to combine the roots to determine which of the possibly conflicting decisions will apply. For example, consider a physical laptop as an enterprise resource. Governance over this laptop may include several interested parties: the employee who has been granted use of the laptop; an IT maintenance person who has been granted authority over allowed configurations on the laptop, etc. The employee may want to use the laptop for a specific purpose, whereas the facilities manager may say that is not allowed. This decision may go up several levels of the mgmt chain and finally reach a point where the eng vp says yes, but the IT vp says no, and the CEO does not know enough about the problem to render a decision. Therefore, the next step might be that the eng vp and IT vp are required to meet and to come up w an appropriate decision. Situations like this can be addressed by hierarchical profile where there is an eng hierarchy and an IT hierarchy, where the hierarchy in eng is based on the org structure, as is the IT hierarchy. The laptops as resources have hierarchical identifiers for both hierarchies, and independent policies exist for each hierarchy. When the decisions are in conflict then one can define a top-level PolicySet that contains the roots of both hierarchies and apply a combining algorithm appropriate for resolving the decision. The structure that enables this capability is the forest , which is a disjoint set of single-rooted hierarchical trees. When the hierarchies in the forest are combined over the common set of resources, the structure is known as a polyarchy . The XACML 3.0 Hierarchical profile has been updated explicitly to make this relationship clear and to remove the unnecessary restrictions in 2.0 that limited the profile to DAGs, which are not appropriate to address this problem. Thanks, Rich On 6/17/2011 5:44 PM, Smith, Martin wrote: This is a capability we (DHS and others) are very interested in. Whether it is an XACML standards issue or not is debatable (vs. a tools issue) but I note that a good deal of the overall Security TC work is based on a unifying architectural model of access control that is beyond the scope of the SAML or XACML standards themselves. So I hope we can identify someone to tackle the requirement . . . Regards, Martin Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile
Original Message----- From: xacml-return-2710-martin.smith=dhs.gov@lists.oasis-open.org [ mailto:xacml-return-2710-martin.smith=dhs.gov@lists.oasis-open.org ] On Behalf Of Tyson, Paul H Sent: Friday, June 17, 2011 5:35 PM To: david.choy@emc.com ; bill@parducci.net ; xacml@lists.oasis-open.org Subject: RE: [xacml] F2F Agenda Topics This sounds like a very strange business case, and I don't see how XACML can help. It does not appear to be a rational model for policy development if independent groups are making rules concerning potentially overlapping instances of subject/resource/action. That is anarchy, not federation. And even if some enterprises find it useful to develop policies that way, the PDP implementation should allow specifying one of the existing policy-combining algorithms (or a custom one) at the notional root of the policy tree. Regards, --Paul
Original Message----- From: david.choy@emc.com [ mailto:david.choy@emc.com ] Sent: Friday, June 17, 2011 15:38 To: bill@parducci.net ; xacml@lists.oasis-open.org Subject: RE: [xacml] F2F Agenda Topics I'd like to add another topic to the agenda list: combining algorithm for a distributed admin environment. Currently, combining algm is specified only within a container (a policy or a policy set). In an enterprise, policy admin is usually distributed among different organizational units, ranging from small workgroups to the corporate level. For a given decision request, there may be multiple applicable policies that are created by different admin authorities. These policies may not know the existence of each other, and may not be encapsulated in a single policyset. We need a broader model for combining algm to resolve conflict in this case. I'll be glad to give an example at the F2F. David
Original Message----- From: Bill Parducci [ mailto:bill@parducci.net ] Sent: Friday, June 17, 2011 6:46 AM To: XACML TC Subject: [xacml] F2F Agenda Topics With the F2f rapidly approaching, we need to start nailing down the agenda. In the past we have chunked up the discussion topics so that we can make sure to cover as many of them as possible, while driving the largest/most difficult issues to completion as the primary driver. To that end I would like to propose that we again break the days in half thus and then dissect from there as needed: Tuesday 8-12 Tuesday 1-5 Wednesday 8-12 Wednesday 1-5 Thursday 8-12 Below is a non-exhaustive list of open issues. Attribute Predicate BTG PIP Directive JSON Profile Obligation/Advice Combining PAP Interface RSA Interop Web Friendly Policy Ids Sticky Policies XACML Metadata Schema I suggest that we begin by fleshing out this list, then prioritize and schedule those topics that have the most interest and will have champions in attendance. My goal is to have a candidate agenda for the TC call next Thursday so please take a few moments to chime in with your thoughts. thanks b --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php