OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

F2F Agenda Topics

  • 1.  F2F Agenda Topics

    Posted 06-17-2011 13:46
    With the F2f rapidly approaching, we need to start nailing down the agenda. In the past we have chunked up the discussion topics so that we can make sure to cover as many of them as possible, while driving the largest/most difficult issues to completion as the primary driver. To that end I would like to propose that we again break the days in half thus and then dissect from there as needed: Tuesday 8-12 Tuesday 1-5 Wednesday 8-12 Wednesday 1-5 Thursday 8-12 Below is a non-exhaustive list of open issues. Attribute Predicate BTG PIP Directive JSON Profile Obligation/Advice Combining PAP Interface RSA Interop "Web Friendly" Policy Ids "Sticky" Policies XACML Metadata Schema I suggest that we begin by fleshing out this list, then prioritize and schedule those topics that have the most interest and will have champions in attendance. My goal is to have a candidate agenda for the TC call next Thursday so please take a few moments to chime in with your thoughts. thanks b


  • 2.  RE: [xacml] F2F Agenda Topics

    Posted 06-17-2011 20:53
    I'd like to add another topic to the agenda list: combining algorithm for a distributed admin environment. Currently, combining algm is specified only within a container (a policy or a policy set). In an enterprise, policy admin is usually distributed among different organizational units, ranging from small workgroups to the corporate level. For a given decision request, there may be multiple applicable policies that are created by different admin authorities. These policies may not know the existence of each other, and may not be encapsulated in a single policyset. We need a broader model for combining algm to resolve conflict in this case. I'll be glad to give an example at the F2F. David


  • 3.  RE: [xacml] F2F Agenda Topics

    Posted 06-17-2011 21:12
    +1 Martin Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile


  • 4.  RE: [xacml] F2F Agenda Topics

    Posted 06-17-2011 21:36
    This sounds like a very strange business case, and I don't see how XACML can help. It does not appear to be a rational model for policy development if independent groups are making rules concerning potentially overlapping instances of subject/resource/action. That is anarchy, not federation. And even if some enterprises find it useful to develop policies that way, the PDP implementation should allow specifying one of the existing policy-combining algorithms (or a custom one) at the notional "root" of the policy tree. Regards, --Paul >


  • 5.  RE: [xacml] F2F Agenda Topics

    Posted 06-17-2011 21:44
    This is a capability we (DHS and others) are very interested in. Whether it is an XACML standards issue or not is debatable (vs. a "tools" issue) but I note that a good deal of the overall Security TC work is based on a unifying architectural model of access control that is beyond the scope of the SAML or XACML standards themselves. So I hope we can identify someone to tackle the requirement . . . Regards, Martin Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile


  • 6.  Re: [xacml] F2F Agenda Topics

    Posted 06-20-2011 15:40
    Hi Martin, I agree with your characterization of this use case as an essential capability. As David described it: In an enterprise, policy admin is usually distributed among different   organizational units, ranging from small workgroups to the   corporate level.   For a given decision request, there may be multiple applicable   policies that are created by different admin authorities.   These policies may not know the existence of each other, and may   not be encapsulated in a single policyset.   We need a broader model for combining algm to resolve conflict   in this case. I submit that the XACML 3.0 Hierarchical Profile has been restructured such that such use cases are the expected practice. Namely, that multiple hierarchies can be defined over a common set of resources. Once the hierarchies are independently defined, then the only issue left is to combine the roots to determine which of the possibly conflicting decisions will apply. For example, consider a physical laptop as an enterprise resource. Governance over this laptop may include several interested parties: the employee who has been granted use of the laptop; an IT maintenance person who has been granted authority over allowed configurations on the laptop, etc. The employee may want to use the laptop for a specific purpose, whereas the facilities manager may say that is not allowed. This decision may go up several levels of the mgmt chain and finally reach a point where the eng vp says yes, but the IT vp says no, and the CEO does not know enough about the problem to render a decision. Therefore, the next step might be that the eng vp and IT vp are required to meet and to come up w an appropriate decision. Situations like this can be addressed by hierarchical profile where there is an eng hierarchy and an IT hierarchy, where the hierarchy in eng is based on the org structure, as is the IT hierarchy. The laptops as resources have hierarchical identifiers for both hierarchies, and independent policies exist for each hierarchy. When the decisions are in conflict then one can define a top-level PolicySet that contains the roots of both hierarchies and apply a combining algorithm appropriate for resolving the decision. The structure that enables this capability is the forest , which is a disjoint set of single-rooted hierarchical trees. When the hierarchies in the forest are combined over the common set of resources, the structure is known as a polyarchy . The XACML 3.0 Hierarchical profile has been updated explicitly to make this relationship clear and to remove the unnecessary restrictions in 2.0 that limited the profile to DAGs, which are not appropriate to address this problem.     Thanks,     Rich On 6/17/2011 5:44 PM, Smith, Martin wrote: 1A9AAD9D775C824191A01868212F2A0905445754@ZAU1UG-0312.DHSNET.DS1.DHS type= cite > This is a capability we (DHS and others) are very interested in. Whether it is an XACML standards issue or not is debatable (vs. a tools issue) but I note that a good deal of the overall Security TC work is based on a unifying architectural model of access control that is beyond the scope of the SAML or XACML standards themselves. So I hope we can identify someone to tackle the requirement . . . Regards, Martin Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile


  • 7.  RE: [xacml] F2F Agenda Topics

    Posted 06-20-2011 16:02
    I’m open to evidence that would change my mind, but I don’t believe there’s an IT solution for confusion, disagreement, and anarchy among rule-makers.   If all the rule-makers in the enterprise wrote their rules in XACML, and if they used a common set of attributes, then you can perform static analysis on the policies to detect possible conflicts.  But those conflicts will have to be resolved by business people, not by programmers or IT architects.   David hinted that he had a use case that might demonstrate the deficiency of the existing policy-combining feature of XACML, so I will wait to see the details of that scenario.   Regards, --Paul   From: rich levinson [mailto:rich.levinson@oracle.com] Sent: Monday, June 20, 2011 10:40 To: xacml@lists.oasis-open.org Subject: Re: [xacml] F2F Agenda Topics   Hi Martin, I agree with your characterization of this use case as an essential capability. As David described it: "In an enterprise, policy admin is usually distributed among different   organizational units, ranging from small workgroups to the   corporate level.   For a given decision request, there may be multiple applicable   policies that are created by different admin authorities.   These policies may not know the existence of each other, and may   not be encapsulated in a single policyset.   We need a broader model for combining algm to resolve conflict   in this case. " I submit that the XACML 3.0 Hierarchical Profile has been restructured such that such use cases are the expected practice. Namely, that multiple hierarchies can be defined over a common set of resources. Once the hierarchies are independently defined, then the only issue left is to "combine the roots" to determine which of the possibly conflicting decisions will apply. For example, consider a physical laptop as an enterprise resource. Governance over this laptop may include several interested parties: the employee who has been granted use of the laptop; an IT maintenance person who has been granted authority over allowed configurations on the laptop, etc. The employee may want to use the laptop for a specific purpose, whereas the facilities manager may say that is not allowed. This decision may go up several levels of the mgmt chain and finally reach a point where the eng vp says yes, but the IT vp says no, and the CEO does not know enough about the problem to render a decision. Therefore, the next step might be that the eng vp and IT vp are required to meet and to come up w an appropriate decision. Situations like this can be addressed by hierarchical profile where there is an eng hierarchy and an IT hierarchy, where the hierarchy in eng is based on the org structure, as is the IT hierarchy. The laptops as resources have hierarchical identifiers for both hierarchies, and independent policies exist for each hierarchy. When the decisions are in conflict then one can define a top-level PolicySet that contains the roots of both hierarchies and apply a combining algorithm appropriate for resolving the decision. The structure that enables this capability is the "forest", which is a disjoint set of single-rooted hierarchical trees. When the hierarchies in the forest are combined over the common set of resources, the structure is known as a "polyarchy". The XACML 3.0 Hierarchical profile has been updated explicitly to make this relationship clear and to remove the unnecessary restrictions in 2.0 that limited the profile to DAGs, which are not appropriate to address this problem.     Thanks,     Rich On 6/17/2011 5:44 PM, Smith, Martin wrote: This is a capability we (DHS and others) are very interested in. Whether it is an XACML standards issue or not is debatable (vs. a "tools" issue) but I note that a good deal of the overall Security TC work is based on a unifying architectural model of access control that is beyond the scope of the SAML or XACML standards themselves. So I hope we can identify someone to tackle the requirement . . .   Regards, Martin     Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile    


  • 8.  Re: [xacml] F2F Agenda Topics

    Posted 06-20-2011 19:18
    Hi Paul, I tried to bring that out in the example I gave, which had 2 independent hierarchies, where the policy on one hierarchy said yes, and the other said no. The resolution was that the authorities at the top of the two hierarchies would have to meet and sort things out, which could be done by an obligation initiating some kind of workflow. There will always be cases where the policy designers are not able to provide a definitive resolution. The idea is to design policies to capture those cases where the resolutions are well-defined, and to provide notification to authorities of conflicts that have to be resolved, because the policies do not cover the situation. The top level policyset would evolve with time as the preferred solutions became better understood by the human resolution of the conflict the first few times the conflict occurred, which could then be codified in attributes and automated as appropriate.     Thanks,     Rich On 6/20/2011 12:01 PM, Tyson, Paul H wrote: 3898C40CCD069D4F91FCD69C9EFBF096066F95A2@txamashur004.ent.textron.com type= cite > I’m open to evidence that would change my mind, but I don’t believe there’s an IT solution for confusion, disagreement, and anarchy among rule-makers.   If all the rule-makers in the enterprise wrote their rules in XACML, and if they used a common set of attributes, then you can perform static analysis on the policies to detect possible conflicts.  But those conflicts will have to be resolved by business people, not by programmers or IT architects.   David hinted that he had a use case that might demonstrate the deficiency of the existing policy-combining feature of XACML, so I will wait to see the details of that scenario.   Regards, --Paul   From: rich levinson [ mailto:rich.levinson@oracle.com ] Sent: Monday, June 20, 2011 10:40 To: xacml@lists.oasis-open.org Subject: Re: [xacml] F2F Agenda Topics   Hi Martin, I agree with your characterization of this use case as an essential capability. As David described it: In an enterprise, policy admin is usually distributed among different   organizational units, ranging from small workgroups to the   corporate level.   For a given decision request, there may be multiple applicable   policies that are created by different admin authorities.   These policies may not know the existence of each other, and may   not be encapsulated in a single policyset.   We need a broader model for combining algm to resolve conflict   in this case. I submit that the XACML 3.0 Hierarchical Profile has been restructured such that such use cases are the expected practice. Namely, that multiple hierarchies can be defined over a common set of resources. Once the hierarchies are independently defined, then the only issue left is to combine the roots to determine which of the possibly conflicting decisions will apply. For example, consider a physical laptop as an enterprise resource. Governance over this laptop may include several interested parties: the employee who has been granted use of the laptop; an IT maintenance person who has been granted authority over allowed configurations on the laptop, etc. The employee may want to use the laptop for a specific purpose, whereas the facilities manager may say that is not allowed. This decision may go up several levels of the mgmt chain and finally reach a point where the eng vp says yes, but the IT vp says no, and the CEO does not know enough about the problem to render a decision. Therefore, the next step might be that the eng vp and IT vp are required to meet and to come up w an appropriate decision. Situations like this can be addressed by hierarchical profile where there is an eng hierarchy and an IT hierarchy, where the hierarchy in eng is based on the org structure, as is the IT hierarchy. The laptops as resources have hierarchical identifiers for both hierarchies, and independent policies exist for each hierarchy. When the decisions are in conflict then one can define a top-level PolicySet that contains the roots of both hierarchies and apply a combining algorithm appropriate for resolving the decision. The structure that enables this capability is the forest , which is a disjoint set of single-rooted hierarchical trees. When the hierarchies in the forest are combined over the common set of resources, the structure is known as a polyarchy . The XACML 3.0 Hierarchical profile has been updated explicitly to make this relationship clear and to remove the unnecessary restrictions in 2.0 that limited the profile to DAGs, which are not appropriate to address this problem.     Thanks,     Rich On 6/17/2011 5:44 PM, Smith, Martin wrote: This is a capability we (DHS and others) are very interested in. Whether it is an XACML standards issue or not is debatable (vs. a tools issue) but I note that a good deal of the overall Security TC work is based on a unifying architectural model of access control that is beyond the scope of the SAML or XACML standards themselves. So I hope we can identify someone to tackle the requirement . . .   Regards, Martin     Martin F. Smith Director, National Security Systems US Department of Homeland Security NAC 19-204-47 (202) 447-3743 desk (202) 441-9731 mobile    


  • 9.  RE: [xacml] F2F Agenda Topics

    Posted 06-17-2011 21:57
    I have yet seen an enterprise that has a central admin for all access control policies in the Enterprise. A workgroup may administer access control policies for documents created by the workgroup. But then there may be divisional or corporate policies that govern internal documents. Retention, records management, legal hold are examples of use case. A workgroup may not be aware of all the corporate policies that are in place, and corporate may not be aware of all the policies created by all the workgroups in the company. david


  • 10.  RE: [xacml] F2F Agenda Topics

    Posted 06-21-2011 14:57
    Very Interesting discussions on XACML in the lists.. Large Banks (global, distributed, heterogeneous, complex/hierarchies, etc,) such a CB or BofA, etc; I can imagine will have multiple XACML projects; a) for example a LOB having its own XACML PDP for the HomeLoan&Fin apps its owns and there could be a few b) an Overarching Ent XACML PDP -- that is defining Global Gov rules, Risk rules and Compliance controls -GRC oriented (that LOB XACM PDP consults for risky and sensitive data (iTAR, PCI_DSS, etc) c) The Risk rules in item b) can actually be a large scale Enterprise Risk PIP --> feeding into a Ent PDP d) a Network XACML PDP -- that is highly focusing on capturing network context from network services (session oriented, packet oriented, intrusion/inspection specific, etc.) and aligning the Network Security Services in DMZ (this PDP integrates heavily into AuthN, Adaptive AuthN, STS, etc., as well - and acts as an added Subject Attribute Auth for the Ent PDP) - it also acts as a Device and Communication Ctrl PDP e) In addition to this - we can have a Privileged Access PDP -down the road - for OS/VM/Hypervisor (clients and server) -integrates into IAAS type env via tools that implement such AC and FW's. So essentially for most use cases - local LOB PDP is touched... (user from within that LOB, context within the LOB, resources within that LOB, etc.).. The LOB PDP consult the master/Ent PDP for additional Data/Risk/Compliance centric rules (when the context is iTAR or Export Control or IP, etc) The ent PDP consults the Ent Risk PIP/PDP to ascertain certain decisions.. And more.. Divvying up the workload this way allows for parallel progress from multiple perspectives (for large, global, distributed, heterogeneous, complex/hierarchies, etc,)... Hence -- Combining algorithm for a distributed admin environment Delegated Admin to local PDP and Distributed PDP And more.. Will all be usefull.. Also discussions in this F2F around topics such as; XACML PDP integration into DB FW XACML PDP integration into DLP FW XACML PDP integration into DRM FW (similar to XACML PDP integration into XML FW's) And its outcome - will be very useful.. Are the dates for the F2F finalized? Regards RR


  • 11.  Re: [xacml] F2F Agenda Topics

    Posted 06-21-2011 16:03
    Yes, the F2F date/location has been set: <minutes> F2F - June 28th, 29, 30th in Lexington, MA Online Poll: (Attend in person: 9, by phone: 3) hal/john: posted boeing list of nearby hotels in the 128/Burlington area http://lists.oasis-open.org/archives/xacml/201106/msg00026.html address: 1 Network Drive, Burlington (old Sun campus) </minutes> b On Jun 21, 2011, at 7:56 AM, Radhakrishnan, Rakesh wrote: > Very Interesting discussions on XACML in the lists.. > > Large Banks (global, distributed, heterogeneous, complex/hierarchies, etc,) such a CB or BofA, etc; I can imagine will have multiple XACML projects; > > > a) for example a LOB having its own XACML PDP for the HomeLoan&Fin apps its owns and there could be a few > b) an Overarching Ent XACML PDP -- that is defining Global Gov rules, Risk rules and Compliance controls -GRC oriented > (that LOB XACM PDP consults for risky and sensitive data (iTAR, PCI_DSS, etc) > c) The Risk rules in item b) can actually be a large scale Enterprise Risk PIP --> feeding into a Ent PDP > d) a Network XACML PDP -- that is highly focusing on capturing network context from network services (session oriented, packet oriented, intrusion/inspection specific, etc.) and aligning the Network Security Services in DMZ (this PDP integrates heavily into AuthN, Adaptive AuthN, STS, etc., as well - and acts as an added Subject Attribute Auth for the Ent PDP) - it also acts as a Device and Communication Ctrl PDP > e) In addition to this - we can have a Privileged Access PDP -down the road - for OS/VM/Hypervisor (clients and server) -integrates into IAAS type env via tools that implement such AC and FW's. > > > So essentially for most use cases - local LOB PDP is touched... (user from within that LOB, context within the LOB, resources within that LOB, etc.).. > The LOB PDP consult the master/Ent PDP for additional Data/Risk/Compliance centric rules (when the context is iTAR or Export Control or IP, etc) > The ent PDP consults the Ent Risk PIP/PDP to ascertain certain decisions.. > And more.. > > Divvying up the workload this way allows for parallel progress from multiple perspectives (for large, global, distributed, heterogeneous, complex/hierarchies, etc,)... > > Hence -- > Combining algorithm for a distributed admin environment > Delegated Admin to local PDP and Distributed PDP > And more.. > Will all be usefull.. > > > Also discussions in this F2F around topics such as; > > XACML PDP integration into DB FW > XACML PDP integration into DLP FW > XACML PDP integration into DRM FW > (similar to XACML PDP integration into XML FW's) > > And its outcome - will be very useful.. > > Are the dates for the F2F finalized? > > > Regards > RR > > >


  • 12.  RE: [xacml] F2F Agenda Topics

    Posted 06-23-2011 16:57
    I have been touting Federated Administration as a capability of XACML for years. I believe is can be done today, with nothing more than some organization-wide conventions on structuring the enclosing policy sets. (Conventions that will likely differ from one organization to another and therefore are not suitable for standardization.) I do not believe it is necessary to be using hierarchical resources to do this. I will be very interested to hear what specific additional XACML features are seen as being required. Hal >


  • 13.  RE: [xacml] F2F Agenda Topics

    Posted 06-24-2011 07:41
    Hal suggested in today's meeting that it would help to distribute thoughts prior to F2F. Attached are brief descriptions of my thoughts on two of the F2F agenda topics, for whatever they worth. david