OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] change request: subject attribute designators

  • 1.  [xacml] change request: subject attribute designators

    Posted 10-01-2002 18:46
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] change request: subject attribute designators


    Xacml request context allows for multiple subjects. Each subject block is identified with the subject-category.
    Subject-category identifies different 'actors': access-subject, codesource, etc.
     
    Category of 'access-subject' is requestor's identity.
     
    There are use cases, such as 'integrated login' where multiple auth mechanisms are integrated.
    Sun solves this with 'pluggable auth module' framework (pam). Pam allows for multiple
    authentication protocols to be configured per application.
     
    This shows that xacml context may contain multiple subject blocks with the same category
    of 'access-subject': separate block per authentication protocol.
     
    Subject blocks are accessed with subject-attribute-designators.
     
    Assumpsion: subject block is uniquely addressed by subject-category
    and authentication protocol.
     
    Proposal.
    Drop DataType attribue of the <xacml-context:AttributeType>.
     
    Extend xacml:subject-attribute-designator with subject-category, and protocol attributes:
    <complexType name SubjectAttributeDesignatorType>
        <attribute name="AttributeId" type="xs:string" use="required"/>
        <attribute name="Issuer" type="xs:anyURI" use="optional"/>
        <attribute name="SubjectCategory" type="xs:string" use="optional"/> <-- new
        <attribute name="Protocol" type="xs:anyURI" use="optional"/> <-- new
    </complexType>
     
    example 1.1 - match 'group' attribute of a subject authenticated with kerberos:
    subject-match match-id="string-equal"
        subj-attr-desig attr-id="group" issuer="some-issuer" subj-cat="access-subject" protocol="kerb"
        attr-value admin
     
    example 1.2 - match 'subject-id' attribute of a subject authenticated with kerb:
    subject-match match-id="rfc822Name-match"
        subj-attr-desig attr-id="subject-id" subj-cat="access-subject" protocol="kerb"
        attr-value bart@simpson.com
     
    Note that in example 1.2 subject block is identified by the protocol (kerb), not by the name format.
     
    Simon
     


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC