OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  XACML 2.0 Work Items

    Posted 07-31-2003 19:43
    The Focus Group this morning identified potential XACML 2.0 work
    items.  I took the liberty of adding a few more that I remembered
    while writing up these minutes.
    
    We can change the status of various items (i.e. DROP or
    POSTPONE), and can add new ones, but we will not re-use any item
    numbers.  If an item splits or becomes something different, we
    will create new items rather than change existing item numbers.
    
    1. Grid Requirements
    
       Any XACML changes needed to satisfy Grid requirements
    
       STATUS: Abstract Work Item.  As specific changes are
          identified, they will become individual work items with
          their own numbers, listed here.
          Current specific work items: #2, 3, 4.
    
    2. Location Information
    
       Way to pass location information needed to evaluate a policy.
       Examples of such information are:
        o where to find various Attributes,
        o where Attribute Authorities to be used are located
        o where to find function, combining algorithm, data-type,
          Attribute parsing code
       Such information might be embedded in either of
       a. an XACML Request
       b. an XACML policy
    
       STATUS: potential work item.
    
    3. Multiple Actions per Request
    
       Support Requests containing multiple Actions.  Response could
       either say "All permitted/denied" or could include a separate
       decision for each.
    
       STATUS: potential work item.
    
    4. Multiple Resources per Request   
    
       Support Requests containing multiple Resources.  Response
       could either say "All permitted/denied" or could include a
       separate decision for each.
    
       STATUS: potential work item.
    
    5. Privacy Requirements
    
       Any XACML changes needed to satisfy Privacy requirements.
    
       STATUS: Abstract Work Item.  As specific changes are
          identified, they will become individual work items with
          their own numbers, listed here.
    
    6. Domain-specific identifiers
    
       Define a set of domain-specific identifiers based on
       application usage of XACML.
     
       STATUS: Postponed from 1.1.
    
    7. ConditionReference
    
       Allow a Rule to contain a ConditionReference element as an
       alternative to a Condition element.  The ConditionReference
       would identify a Condition element specified elsewhere.  An
       optional ConditionId attribute would be added to the Condition
       element to support this.
    
       STATUS: Postponed from 1.1.
       PROPOSAL:
        http://lists.oasis-open.org/archives/xacml/200304/msg00039.html
    
    8. RuleReference
    
       STATUS: Postponed from 1.1.
       PROPOSAL:
        http://lists.oasis-open.org/archives/xacml/200305/msg00004.html  
    
    9. Hierarchical entities
    
       How to express policies and requests that apply to a hierarchy
       of subjects, resources, or actions.
    
       STATUS: Postponed from 1.1.
       PROPOSALS:
        http://lists.oasis-open.org/archives/xacml/200304/msg00057.html
        http://lists.oasis-open.org/archives/xacml/200305/msg00009.html
    
    10. Parameters for Combining Algorithms
    
       Support an element or attribute in a PolicySet, Policy, or Rule
       that provides parameters to be used by a Combining Algorithm
       that is combining the PolicySet, Policy, or Rule.
    
       STATUS: Postponed from 1.1.
       PROPOSAL:
         http://lists.oasis-open.org/archives/xacml/200305/msg00014.html
    
    11. XACML Extension Points
    
       Define schema extension points for XACML.  This work item
       might solve the requirements driving several other work
       items.
    
       STATUS: potential work item.
    
    12. Environment Element in Target
    
       Allow the Target Element to include an Environment element,
       just as it now includes Subject, Resource, and Action
       elements.
    
       STATUS: Postponed from 1.1.
       PROPOSAL:
        http://lists.oasis-open.org/archives/xacml/200305/msg00012.html
    
    13. Optional Target Elements
    
       Make Subjects, Resources, Actions elements optional in a
       Target.  Missing element has same semantics as <Any.../>
       Make Target itself optional.  Missing element has same
       semantics as a Target containing <AnySubject/>,
       <AnyResource/>, <AnyAction/>.
    
       STATUS: potential work item.
    
    14. Signature envelope requirements
    
       Any new XACML work items to meet requirements for signature
       envelopes around an XACML schema instance, such as including
       an XACML Policy or Request in a signed SAML Assertion.
        
       STATUS: Abstract Work Item.  As specific changes are
          identified, they will become individual work items with
          their own numbers, listed here.
       
    15. Encrypted XACML schema instance requirements
    
       Any new XACML work items to meet requirements for encrypted
       XACML Policy or Context schema instances.
    
       STATUS: Abstract Work Item.  As specific changes are
          identified, they will become individual work items with
          their own numbers, listed here.
    
    16. XACML Policy in SAML Response Conditions
    
       Profile uses of XACML Policy instances as a syntax for
       specifying Conditions in a SAML Response.
    
    17. XACML Policy in SAML Request Conditions
    
       Profile use of SAML Conditions element as a way for a PEP to
       pass an XACML Policy to be used by the PDP in evaluating the
       Request.
    
       STATUS: potential work item.
    
    18. Obligations in Rules
    
       Allow Rule to contain Obligations.
    
       STATUS: postponed from 1.1
       PROPOSAL:
        http://lists.oasis-open.org/archives/xacml/200305/msg00011.html
    
    19. Rule as lowest administrative unit
    
       Allow a Rule to be the lowest administrative unit for XACML.
       Probably required to support RuleReference.
    
       STATUS: potential work item.
    
    20. Non-normative XACML interpretation guide
    
       Rationale, examples, possible implementation models; general
       information that would help XACML users know the intent of the
       XACML TC for the use of XACML elements.
    
       STATUS: potential work item.  Probably parallel to XACML 2.0.
    
    21. Non-normative XACML Primer
    
       Primer for XACML usage.
    
       STATUS: potential work item.  Probably parallel to XACML 2.0.
    
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    ***************************************
    SunNetwork 2003 Conference and Pavilion
    "An unparalleled event in network computing! Make the net work for you!"
    
    WHEN:  September 16-18, 2003
    WHERE: Moscone Center, San Francisco
    
    For more information or to register for the conference, please visit:
    http://www.sun.com/sunnetwork