OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  FW: some little questions

    Posted 07-16-2009 14:20
      |   view attached

    Attachment(s)

    ppt
    Access_Control_for_OWS_with_GeoXACML.ppt   2.04 MB 1 version


  • 2.  RE: [xacml] FW: some little questions

    Posted 07-16-2009 15:38 
    






    Perhaps I gave the wrong impression about protecting a 
policy repository.
    

     
    

    During 
the discussons which led to XACML 3.0 it was pointed out that with XACML 2.0 (or 
any version really) you can protect operations such as CRUD on a repository. 
However this approach would not let you control the scope of capabilities of a 
person editing policies.
    

     
    

    I 
suppose we could have consider using XPATH functions to introspect policy 
contents, but I think the result would have made it very hard to understand the 
intent of administrative policies.
    

     
    

    For 
whatever reasons this approach was not seriously considered and instead we chose 
the scheme you see in the Admin Profile.
    

     
    

    Influenced by the requirement to be allowed to provide 
policies along with the request, we formulated Reduction as a policy decision 
time process instead of an administration time process. Since the current scheme 
allows access policies and their enabling administrative polices to reference 
distinct attributes, there is no good way to determine if an access policy is in 
force, except in the context of a particular decision.
    

     
    

    Hal
    

    
  
    -----Original Message-----
    From: Harold Lockhart
    Sent: Thursday, July 16, 2009 10:20 AM
    To: 
  xacml@lists.oasis-open.org
    Subject: [xacml] FW: some little 
  questions

    
  
     
    
  
    -----Original Message-----
    From: Jan Herrmann 
  [mailto:herrmanj@in.tum.de]
    Sent: Thursday, July 16, 2009 8:43 
  AM
    To: Harold Lockhart
    Subject: some little 
  questions

    
  
    
  
    Hello 
  Hal,
    
  
    I modified the slides from the 
   meeting 
  a little bit to focus the things that might be of interest for your group. 
  
    
  
    Now I am wondering how you usually 
  do presentations during your telecons. Are you using google docs or special 
  tools like team viewer?
    
  
    Another question: In  you mentioned 
  that a couple of years ago the XACML TC discussed how to administrate XACML 
  policies. You mentioned that using XACML itself to do control access to a PAP 
  Web Service was rejected and instead the mechanism described in the new 
  delegation profile was preferred. Are their any internal documents talking 
  about the reasoning behind this decision?
    
  
    Talk to you 
  later.
    
  
    greets
    
  
    jan
    
  
    
  
    ________________________________________

    Jan 
  Herrmann
    Dipl.-Inform., Dipl.-Geogr. 

    wissenschaftlicher 
  Mitarbeiter

    Technische Universität 
  München
    Institut für Informatik

    Lehrstuhl für Angewandte Informatik 
  / Kooperative Systeme

    Boltzmannstr. 3
    85748 
  Garching

    Tel:      
  +49 (0)89 289-18692
    Fax:     +49 (0)89 289-18657
    www11.informatik.tu-muenchen.de
    ________________________________________


  • 3.  Re: [xacml] FW: some little questions

    Posted 07-17-2009 08:46 
    Jan,

I was involved in the design of the administration profile. It is as Hal 
says that it is difficult to provide access control using XACML/CRUD if 
one wants to restrict the scope of administrative rights. It might be 
possible to implement XACML/CRUD, but I have found it to be difficult 
understand the safety of these kind of models. Academic research has 
shown that many (most?) protection models are undecidable. It would be 
an interesting research question to study whether it would be possible 
to design an XACML/CRUD model with certain limitations which makes it safe.

And the main reason why reduction is an policy decision time process 
instead of a administration time process is that in general it is very 
difficult to implement comparison of two XACML policies to implement the 
restriction of policy scope feature. With an administration time process 
it would be necessary to compare two XACML policies to check whether one 
of them is a subset of another in their scope. At decision time it is a 
simple matter of simply evaluating both policies and checking that they 
both say permit, by which the end result is that administrative scope is 
restricted.

In some cases the delegation model might be overkill. If you have a 
bunch of trusted administrators who should be allowed to do anything, it 
could be simpler to use XACML or any simple access control list to 
control access there.

Another simple approach to separate administrative scope is to use 
entirely separate PDP instances which are used for different resources.

Best regards,
Erik



Harold Lockhart wrote:
> Perhaps I gave the wrong impression about protecting a policy repository.
>  
> During the discussons which led to XACML 3.0 it was pointed out that 
> with XACML 2.0 (or any version really) you can protect operations such 
> as CRUD on a repository. However this approach would not let you 
> control the scope of capabilities of a person editing policies.
>  
> I suppose we could have consider using XPATH functions to introspect 
> policy contents, but I think the result would have made it very hard 
> to understand the intent of administrative policies.
>  
> For whatever reasons this approach was not seriously considered and 
> instead we chose the scheme you see in the Admin Profile.
>  
> Influenced by the requirement to be allowed to provide policies along 
> with the request, we formulated Reduction as a policy decision time 
> process instead of an administration time process. Since the current 
> scheme allows access policies and their enabling administrative 
> polices to reference distinct attributes, there is no good way to 
> determine if an access policy is in force, except in the context of a 
> particular decision.
>  
> Hal
>
>     -----Original Message-----
>     *From:* Harold Lockhart
>     *Sent:* Thursday, July 16, 2009 10:20 AM
>     *To:* xacml@lists.oasis-open.org
>     *Subject:* [xacml] FW: some little questions
>
>      
>     -----Original Message-----
>     *From:* Jan Herrmann [mailto:herrmanj@in.tum.de]
>     *Sent:* Thursday, July 16, 2009 8:43 AM
>     *To:* Harold Lockhart
>     *Subject:* some little questions
>
>     Hello Hal,
>
>     I modified the slides from the Boston meeting a little bit to
>     focus the things that might be of interest for your group.
>
>     Now I am wondering how you usually do presentations during your
>     telecons. Are you using google docs or special tools like team viewer?
>
>     Another question: In Boston you mentioned that a couple of years
>     ago the XACML TC discussed how to administrate XACML policies. You
>     mentioned that using XACML itself to do control access to a PAP
>     Web Service was rejected and instead the mechanism described in
>     the new delegation profile was preferred. Are their any internal
>     documents talking about the reasoning behind this decision?
>
>     Talk to you later.
>
>     greets
>
>     jan
>
>      
>
>     ________________________________________
>
>     Jan Herrmann
>     Dipl.-Inform., Dipl.-Geogr. 
>
>     wissenschaftlicher Mitarbeiter
>
>     Technische Universität München
>     Institut für Informatik
>
>     Lehrstuhl für Angewandte Informatik / Kooperative Systeme
>
>     Boltzmannstr. 3
>     85748 Garching
>
>     Tel:      +49 (0)89 289-18692
>     Fax:     +49 (0)89 289-18657
>     www11.informatik.tu-muenchen.de
>


Related Content