MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Notes from Focus Group 14 August 2003
Present:
Frank Siebenlist
Anne Anderson
Hal Lockhart
Steve Crocker
There was no prior agenda, so topics discussed were at the
initiative of the attendees.
1. SAML Authz Req/Resp sidebar at SAML F2F
Frank Siebenlist expressed a preference for holding the proposed
working session between OGSA and XACML TC people on Tuesday or
Wednesday, rather than on Monday. Anne has sent this preference
to the SSTC chairs.
Frank mentioned that Rebekah Lepro (bekah@nas.nasa.gov, working
on Grid projects at NASA Ames) has a lot of experience with the
difficulty of mapping Attributes between the SAML Attribute
format and the XACML Request format. He hopes this can also be
addressed in SAML 2.0.
2. New web services policy language use case
Frank described a use case that occurs in the Grid environment
that is not currently included in the "Web-services policy
language use-Cases and requirements" document:
Schedulers/Brokers match scientists needing computational
resources (CPU cycles, disk space, bandwidth) with sites
offering such resources. Each site has its own policies
regarding which scientists are authorized to use computational
resources at that sites, and what limits exist on the use of
such resources. This means each site must have a way of
publishing its access requirements for use by the
Schedulers/Brokers.
It looks like the XACML Profile for Web-services could handle
this. It might be easiest if the Profile allowed a published
policy or rule to include attributes of the applicable subjects
in the Target.
Frank said WS-Policy can't handle such a requirement. It is
clearly in the access control domain, so it is XACML's business
to address it.
3. XACML Policy in SAML Response/Request Conditions
Hal asked for the use cases behind XACML 2.0 Work Items #16 and
17.
Anne said these came from Grid requirements, but also come up in
support of authorization decision optimization.
Use case for XACML Policy in Conditions of AuthzDecision:
An XACML Policy might be included in the response to an SAML
AuthorizationDecisionQuery in cases where a PDP associated with
the Initiator of a Request was unable to completely evaluate the
policy due to lack of information, but where another PDP
associated with the Resource has the missing information (but
perhaps not other information that was available to the first
PDP). If the first PDP can return an AuthorizationDecision of
the form "Permit IF Condition", where the Condition contains a
partially evaluated policy stripped down to just the predicates
involving the missing information.
Use case#1 for XACML Policy in Conditions of AuthzDecisionQuery:
Used by a resource that has received a Request for services along
with an AuthorizationDecision of the above form. It passes the
Condition containing the remaining policy to its own PDP for
evaluation.
Use case#2 for XACML Policy in Conditions of AuthzDecisionQuery:
A resource may have its own policy. It receives requests
directly from subjects. It passes its policy in the to the PDP
as part of the Conditions element of the SAML
AuthzDecisionQuery.
4. XACML TC FAQ
Hal mentioned that he has a message for the DSS TC that is sent
in response to requests for membership. This message explains
that the requester should change their member status from
Prospective Member to Observer if they do not intend to
participate regularly in meetings.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]