OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

BTG sequence diagram

  • 1.  BTG sequence diagram

    Posted 04-22-2011 19:16
      |   view attached
    This is to respond to David Chadwick's notes [1] and [2] and to try to explain what I believe is the correct sequence of a BTG episode. In [1], David describes three evaluation scenarios: 1. "If action = read and role=Doctor and resource=medical record and BTGstate = True then grant access" No problem here--it corresponds to the last user interaction in attached sequence diagram. 2. "If Action=SetBTG and .... then grant with obligation set BTGstate to True in StateDB." I guess it could work this way, but if we identify a "GlassManager" service, the user would request the GlassManager to break the glass, who in turn would make an authorization request, verify permission, and take the action, and return an appropriate message (perhaps including obligations) to the user. 3. "If Action=ResetBTG and .... then grant with obligation set BTGstate to False in StateDB" I did not show this interaction, but it would look like the illustrated interaction for "breakGlass". Now, more generally, to respond to [2], refer to the attached sequence diagram, which represents a rather purified view of the components and their interactions. Many variations on this are possible, but the variations I do not want to sanction with a standard are the ones that would have the PEP, PDP, or PIP doing things that degrade their functional independence or extend their specified behavior, or that would overload the XACML request/response mechanism with additional meanings. David's last formal proposal [3] has all of these risks, although subsequent discussion has mitigated some of them. One feature of that proposal that has not been discussed much is the initial BTG obligation (section 2.1). This would require the PDP not only to apply the policy to the original request (for data), but also to find and apply a policy to a hypothetical request to break the glass. I don't know of a policy feature to induce this behavior, nor any type of stanard request that could do this. The policy could return the state of the glass as an obligation attribute, but that is all it could do using standard features. Maybe if we can agree on the scenarios we want to support (using sequence diagrams for common understanding) we would have a better chance of identifying opportunities for standardization around BTG. Regards, --Paul [1] http://lists.oasis-open.org/archives/xacml/201104/msg00031.html [2] http://lists.oasis-open.org/archives/xacml/201104/msg00033.html [3] http://lists.oasis-open.org/archives/xacml/201102/msg00017.html btg-sequence.pdf

    Attachment(s)

    pdf
    btg-sequence.pdf   18 KB 1 version


  • 2.  Re: [xacml] BTG sequence diagram

    Posted 04-22-2011 23:26
    Hi Paul, First, let me say that the reason I am replying to these issues is not specifically to support David's proposal as submitted, but to try to help get an understanding of what the core issues really are and then the TC should be able to better decide what makes sense for next steps. Also, I think the BTG scenario represents a common use case, that the TC generally agrees is part of what XACML should be able to do with Policy definitions in conjunction w the surrounding components: PEP, CH, PIP, PAP, APPL, where these components are defined to have certain scopes of capabilitiess in the XACML spec that the PDP admins can expect to incorporate in the Policy defns. (For example: the PEP submits requests and processes responses, the CH can front-end the PDP and provide some features such as pre-processing PEP requests and preparing single-decision requests to submit as well as finding missing attributes during Policy evaluation , the PIP can provide these missing attributes (see the data flow diagram figure 1, section 3.1, particularly steps 5->10 that imply the capabilities in this and the prev bullet) the PAP can prepare and activate/deactivate policies the APPL provides the the resources that are being requested) With respect to David's proposal, I have refrained from getting into the details, which I have qualified in my earlier remarks, and particularly had avoided delving into the use of the Obligations to facilitate this process. So, let me flat out say: I think the Obligations are superfluous and do not have any place in the core BTG capability . There is nothing wrong with them being there, but, imo, they are unnecessary. That being said, let me quickly stride thru your sequence diagram, and call out what appear to me to be the important points. The diagram is in 3 parts, which we can call 1, 2, and 3. In part 1, the following occurs: The User submits a request to a WebApp for a Resource. The PEP in (in front of, whatever) the WebApp sends XACML request to PDP The PDP finds that it needs btgState to complete eval, so has CH get it from the PIP that gets it from GlassMgr PIP gets value from GlassMgr and returns btgState = false to PDP PDP finishes eval and returns Deny (with or without Advice, imo) In part 2, the following occurs: The User, having been denied, knows that it has a BTG priv, and so submits a request to the GlassMgr to activate the privilege. The PEP in front of GlassMgr asks the PDP if this User is authorized to activate his BTG priv. The PDP says yes, the User, according to Policy is authorized to perform this action (activate the User's BTG priv), and returns Permit. The GlassMgr then activates the User's BTG priv, setting btgState=true. The GlassMgr then returns notice to the User that the User's btg priv is active (again, imo, there is no need for any obligations) In part 3, the following occurs: The User reattempts the request in part 1 step 1. PEP sends req to PDP, same as part 1, step 2. PDP again finds it needt btgState and uses CH, same as part 1, step 3. PIP again gets value from GlassMgr, but this time returns btgState = true to PDP. PDP finishes eval and returns Permit (again, imo, no obligations are needed), and this time the WebAppl returns the Resource to the User. Based on the core description as I've described above, one can then add Obligations and Advice to help things along , but they are not needed, imo. I believe that presented this way, the scenario does not involve any of the risks you mentioned, and, I don't think it does anything out of the ordinary , except takes advantage of the built in XACML capabilities to call out for external attrs as described in the data flow diagram of section 3.1 of 3.0 core spec.       Thanks,       Rich On 4/22/2011 3:16 PM, Paul Tyson wrote: 1303499767.5905.30.camel@tristan type= cite > This is to respond to David Chadwick's notes [1] and [2] and to try to explain what I believe is the correct sequence of a BTG episode. In [1], David describes three evaluation scenarios: 1. If action = read and role=Doctor and resource=medical record and BTGstate = True then grant access No problem here--it corresponds to the last user interaction in attached sequence diagram. 2. If Action=SetBTG and .... then grant with obligation set BTGstate to True in StateDB. I guess it could work this way, but if we identify a GlassManager service, the user would request the GlassManager to break the glass, who in turn would make an authorization request, verify permission, and take the action, and return an appropriate message (perhaps including obligations) to the user. 3. If Action=ResetBTG and .... then grant with obligation set BTGstate to False in StateDB I did not show this interaction, but it would look like the illustrated interaction for breakGlass . Now, more generally, to respond to [2], refer to the attached sequence diagram, which represents a rather purified view of the components and their interactions. Many variations on this are possible, but the variations I do not want to sanction with a standard are the ones that would have the PEP, PDP, or PIP doing things that degrade their functional independence or extend their specified behavior, or that would overload the XACML request/response mechanism with additional meanings. David's last formal proposal [3] has all of these risks, although subsequent discussion has mitigated some of them. One feature of that proposal that has not been discussed much is the initial BTG obligation (section 2.1). This would require the PDP not only to apply the policy to the original request (for data), but also to find and apply a policy to a hypothetical request to break the glass. I don't know of a policy feature to induce this behavior, nor any type of stanard request that could do this. The policy could return the state of the glass as an obligation attribute, but that is all it could do using standard features. Maybe if we can agree on the scenarios we want to support (using sequence diagrams for common understanding) we would have a better chance of identifying opportunities for standardization around BTG. Regards, --Paul [1] http://lists.oasis-open.org/archives/xacml/201104/msg00031.html [2] http://lists.oasis-open.org/archives/xacml/201104/msg00033.html [3] http://lists.oasis-open.org/archives/xacml/201102/msg00017.html --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 3.  Re: [xacml] BTG sequence diagram

    Posted 04-22-2011 23:32
    So Rich, in this scenario you are treating the BTG priv attribute as a Resource? If not, what does "permit" refer to? thanks b On Apr 22, 2011, at 4:25 PM, rich levinson wrote: > • The PEP in front of GlassMgr asks the PDP if this User is authorized to activate > his BTG priv. > • The PDP says yes, the User, according to Policy is authorized to perform this > action (activate the User's BTG priv), and returns Permit.


  • 4.  Re: [xacml] BTG sequence diagram

    Posted 04-23-2011 01:49
     > On Fri, 2011-04-22 at 16:32 -0700, Bill Parducci wrote: > So Rich, in this scenario you are treating the BTG priv attribute as a Resource? If not, what does "permit" refer to? > > thanks > > b > > On Apr 22, 2011, at 4:25 PM, rich levinson wrote: > > > €¢ The PEP in front of GlassMgr asks the PDP if this User is authorized to activate > > his BTG priv. > > €¢ The PDP says yes, the User, according to Policy is authorized to perform this > > action (activate the User's BTG priv), and returns Permit. > I had in mind a generic "BTG state", which I guess would be an environment attribute. The user invokes a method of the GlassManager like "breakGlass()". Upon finding that the user is authorized to execute this action, the GlassManager executes this method to set the environment attribute, btg-state, to "true". In an earlier email I asked for clarification on what, exactly, the glass protected: a person, a class of persons, a resource, a group of resources, or some combination of these? I guess generically you could have a boolean btg-state attribute for every action, resource, and subject (as well as an environment btg-state). Then the user would invoke a method like "breakGlass('Bart Simpson')" to unprotect Bart Simpson's records. The PIP would ask for the btg-state attribute pertaining to Bart's records. This is another area that needs to be clarified in David's BTG proposal. Regards, --Paul


  • 5.  Re: [xacml] BTG sequence diagram

    Posted 04-23-2011 06:09
    Hi Paul, I think we are basically in agreement at this point. I agree that there can be as many btg attrs as necessary. There is a similar notion of consent that users can apply to their own data, which is also fine grained in the sense that consent can be specific users can see the consenter's data. Both these concepts were demo'd in the RSA 2008 Interop, based on the requirements and recommended techniques provided by the VHA people: David S, Mike D, and Duane. We didn't have an actual GlassMgr, but it was implicitly there. Thanks, Rich On 4/22/2011 9:49 PM, Paul Tyson wrote: >> On Fri, 2011-04-22 at 16:32 -0700, Bill Parducci wrote: >> So Rich, in this scenario you are treating the BTG priv attribute as a Resource? If not, what does "permit" refer to? >> >> thanks >> >> b >> >> On Apr 22, 2011, at 4:25 PM, rich levinson wrote: >> >>> €¢ The PEP in front of GlassMgr asks the PDP if this User is authorized to activate >>> his BTG priv. >>> €¢ The PDP says yes, the User, according to Policy is authorized to perform this >>> action (activate the User's BTG priv), and returns Permit. > I had in mind a generic "BTG state", which I guess would be an > environment attribute. The user invokes a method of the GlassManager > like "breakGlass()". Upon finding that the user is authorized to > execute this action, the GlassManager executes this method to set the > environment attribute, btg-state, to "true". > > In an earlier email I asked for clarification on what, exactly, the > glass protected: a person, a class of persons, a resource, a group of > resources, or some combination of these? > > I guess generically you could have a boolean btg-state attribute for > every action, resource, and subject (as well as an environment > btg-state). Then the user would invoke a method like "breakGlass('Bart > Simpson')" to unprotect Bart Simpson's records. The PIP would ask for > the btg-state attribute pertaining to Bart's records. > > This is another area that needs to be clarified in David's BTG proposal. > > Regards, > --Paul > > >


  • 6.  RE: [xacml] BTG sequence diagram

    Posted 04-25-2011 13:43
    This discussion seems reasonable to me as far as it goes, however the BTG attribute is more than a privilege, it is in an environmental variable that tells the PDP which of a number of possible policy sets applies to the decision at hand.

    In XSPA SAML, this environmental attribute is always contained in the SAML assertion and is called the "Purpose of Use". The scenario would play out pretty much the same as Rich describes, however, on the deny, the user knows they have the ability to change the purpose of use to BTG and makes a conscious effort to do so.

    There is a business point here that users should not assert BTG (which in effect over rides "normal" policy) just because they want access. Abuse of this attribute is not allowed. This is inherent in asserting the extraordinary BTG POU, which will have the effect of triggering other security system events outside of the authorization system (e.g. enhanced audit, notification to system administrators, activation of a clock to limit the time the purpose of use is to allowed, etc).

    The establishment of the BTG policy set, may or may not cause privilege elevation, but in my opinion is not an essential element (e.g., you must still have the permission of "Medical Doctor" in the BTG Policy set).

    Regards, Mike Davis, CISSP
    Department of Veterans Affairs
    VHA Office of Health Information
    Security Architect
    760-632-0294




  • 7.  RE: [xacml] BTG sequence diagram

    Posted 04-25-2011 14:55
    "This discussion seems reasonable to me as far as it goes, however the BTG attribute is more than a privilege, it is in an environmental variable that tells the PDP which of a number of possible policy sets applies to the decision at hand."

    I would say it is a USER ASSERTION about the state of the environment.

    As such, it seems logical to treat it as one of a large class of "user attributes" for which the user is considered the attribute source, another example of which would be a user's assertion of an authorized purpose for requesting an info resource. What's the point of relying on the user's assertion for access control? Well, sometimes there is no alternative, and if the assertion is logged as part of the access transaction logging, the enforcement of appropriateness can be done ex-post. Ex-post enforcement is effective in many cases. The judgment as to whether a policy will allow user-asserted attributes would be based on part on consideration of whether ex-post enforcement would be effective.


    Martin



    Martin F. Smith
    Director, National Security Systems
    US Department of Homeland Security
    NAC 19-204-47
    (202) 447-3743 desk
    (202) 441-9731 mobile






  • 8.  RE: [xacml] BTG sequence diagram

    Posted 04-25-2011 15:40

    Because, in this case, the obligation approach does not align with the business need/policy. The simple fact that one gets a deny does not imply an obligation to automatically invoke a security bypass. Since the PDP is not a state machine, the change of state must be external, hence, the deny allows the user to reassess the situation and apply either additional privilege to the request or change the game by changing the policy set. There is another aspect of BTG, in that the user is typically required to assert acknowledgement to a set of conditions, including an understanding that BTG is exceptional access and that they are asserting this intentionally. This gets messy, since the obligation may need to be passed across boundaries to an external requestor (you are now making a demand that the foreign system have an interface with the requestor). It seems simpler to me, to just have a deny and leave it up to the user to figure out what they need to do.

    Furthermore, what would be totally acceptable in my mind, is for a technology, such as XACML, to attempt to mandate to the business side (regardless of what that is, healthcare, finance, manufacturing etc.) that they MUST include a business role/permission (such as BTG) in their information model in order to make XACML work. In fact, in healthcare (HL7 and ISO), there is currently no such standard role, instead the standard is for Purpose of Use defining a number of possible policy sets under different conditions, (e.g. normal treatment, administrator access, programmer access, research, marketing, etc.). OASIS has existing standards (XSPA SAML, XACML and WS-Trust) that have taken this approach and defined the environmental attribute in the assertion.



    Regards, Mike Davis, CISSP
    Department of Veterans Affairs
    VHA Office of Health Information
    Security Architect
    760-632-0294