OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Attribute predicate profile for SAML and XACML

    Posted 03-23-2011 09:25
    Dear all, Please find attached a first draft of the attribute predicate profile that we've been discussing during the telephone conferences. Looking forward to your feedback! Best regards, Gregory and Franz-Stefan 2011-02 SAM+XACML Attribute Predicate Profiles.zip SAML+XACML Attribute Predicate Profile.pdf


  • 2.  RE: [xacml] Attribute predicate profile for SAML and XACML

    Posted 04-29-2011 08:26
    Gregory & Franz-Stefan, Could this profile also be used to implement ZBAC [1]? [1] http://www.hpl.hp.com/techreports/2009/HPL-2009-30.pdf Thanks, Ray >


  • 3.  Re: [xacml] Attribute predicate profile for SAML and XACML

    Posted 05-23-2011 14:19
    Hi Ray, As discussed during the last call, I think the answer to your question is yes, if I correctly understand authorization-based access control (ZBAC) correctly as follows. A user from domain A wants to access a resource hosted in domain B. In classical attribute-based access control (ABAC), domain B fetches the user's attributes from domain A and checks whether the policy associated to the resource is satisfied. In ZBAC, it is domain A that checks whether the user's attributes satisfy the policy. Our attribute predicate profile could indeed be used by domain B to send the policy (predicate) to domain A, who evaluates the predicate and certifies to B whether it holds or not. There are two points in the approach that I don't quite understand though, which may mean that my above understanding is incorrect: How is the resource's access policy, which is probably authored by domain B, communicated to domain A? The summary of [1] mentions that ABAC requires agreement on the meaning of attributes, and the implications of changing a user’s attributes are not clear. ZBAC addresses those problems while requiring few changes to the underlying system. In our profile, both sides still have to agree on AttributeIds to understand which predicate they're talking about. I do not see how ZBAC could avoid such agreement, however. Best, Greg On 4/29/2011 10:24, remon.sinnema@emc.com wrote: Gregory & Franz-Stefan, Could this profile also be used to implement ZBAC [1]? [1] http://www.hpl.hp.com/techreports/2009/HPL-2009-30.pdf Thanks, Ray


  • 4.  RE: [xacml] Attribute predicate profile for SAML and XACML

    Posted 05-25-2011 19:45
    Greg, From: Gregory Neven [ mailto:nev@zurich.ibm.com ] Sent: Monday, May 23, 2011 3:57 PM To: xacml@lists.oasis-open.org Subject: Re: [xacml] Attribute predicate profile for SAML and XACML >> As discussed during the last call, I think the answer to your question is yes, if I correctly understand authorization-based access control (ZBAC) correctly as follows. A user from domain A wants to access a resource hosted in domain B. In classical attribute-based access control (ABAC), domain B fetches the user's attributes from domain A and checks whether the policy associated to the resource is satisfied. In ZBAC, it is domain A that checks whether the user's attributes satisfy the policy. Our attribute predicate profile could indeed be used by domain B to send the policy (predicate) to domain A, who evaluates the predicate and certifies to B whether it holds or not. << This is what I thought too. But on second reading, I think differently. I now interpret the article to mean that in ZBAC, the remote domain delegates some of its policy to the local domain. The local PDP performs the authorization decision based on that delegated policy, and sends the decision along with the request to the remote domain. Using various cryptographic tricks, the remote domain can check that the local PDP was allowed to make the authorization decision and honors it. So, if my new understanding is correct, then the attribute predicate profile can't be used to implement ZBAC. Oh well. Thanks, Ray