OASIS eXtensible Access Control Markup Language (XACML) TC

The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.   The XACML spec states:   7.17 Authorization decision In relation to a particular decision request , the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets . The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets .   Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?   Let me walk through a scenario:   When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.   In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?   - Richard Hill  

Since the spec doesn’t say how that policy combining algorithm is to be specified to the PDP (the spec doesn’t cover much of anything of PDP configuration), I think we have to consider it a vendor specific implementation detail.   To avoid having to create an external config setting in our PDP implementation, we simply require that the PDP be assigned exactly one policyset, so that the selection of combining algorithm is explicit and authored in the usual policy admin environment.   -Danny   Danny Thorpe Authorization Architect Dell Identity & Access Management, Quest Software   Quest Software is now part of Dell.   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Hill, Richard C Sent: Tuesday, June 25, 2013 1:34 PM To: xacml@lists.oasis-open.org Subject: [xacml] Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec   The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.   The XACML spec states:   7.17 Authorization decision In relation to a particular decision request , the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets . The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets .   Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?   Let me walk through a scenario:   When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.   In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?   - Richard Hill  

Hi, The Axiomatics approach is also along the lines of what Danny describes. An Axiomatics PDP uses a single policy (set) as an entry point. The combining algorithm is therefore explicitly part of that single policy (set) used as main entry point. David. On Tue, Jun 25, 2013 at 11:48 PM, Danny Thorpe < Danny.Thorpe@software.dell.com > wrote: Since the spec doesn’t say how that policy combining algorithm is to be specified to the PDP (the spec doesn’t cover much of anything of PDP configuration), I think we have to consider it a vendor specific implementation detail.   To avoid having to create an external config setting in our PDP implementation, we simply require that the PDP be assigned exactly one policyset, so that the selection of combining algorithm is explicit and authored in the usual policy admin environment.   -Danny   Danny Thorpe Authorization Architect Dell Identity & Access Management, Quest Software   Quest Software is now part of Dell.   From: xacml@lists.oasis-open.org [mailto: xacml@lists.oasis-open.org ] On Behalf Of Hill, Richard C Sent: Tuesday, June 25, 2013 1:34 PM To: xacml@lists.oasis-open.org Subject: [xacml] Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec   The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.   The XACML spec states:   7.17 Authorization decision In relation to a particular decision request , the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets . The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets .   Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?   Let me walk through a scenario:   When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.   In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?   - Richard Hill   -- David Brossard, M.Eng, SCEA, CSTP Product Manager +46(0)760 25 85 75 Axiomatics AB Skeppsbron 40 S-111 30 Stockholm, Sweden http://www.linkedin.com/companies/536082 http://www.axiomatics.com http://twitter.com/axiomatics

At some point in the distant past, there was an understanding that a PDP would define a default Policy Combining Algorithm to be used for the virtual top level Policy Set if there was no real top level. There was also a notion that this value would be made available as metadata some day.   Unfortunately, this never actually made it into the text. Further, someone recently drew my attention to Test Case # 30 which specifically checks for the generation of Indeterminate if there is no top level policy.   IMHO the silence of the spec on this subject means you can either require a top level Policy Set at policy load time or establish a default combining algorithm. I consider generating an Indeterminate result for ALL decisions to be silly.   Hal   From: David Brossard [mailto:david.brossard@axiomatics.com] Sent: Tuesday, June 25, 2013 6:37 PM To: Danny Thorpe Cc: Hill, Richard C; xacml@lists.oasis-open.org Subject: Re: [xacml] RE: Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec   Hi,   The Axiomatics approach is also along the lines of what Danny describes. An Axiomatics PDP uses a single policy (set) as an entry point. The combining algorithm is therefore explicitly part of that single policy (set) used as main entry point.   David.   On Tue, Jun 25, 2013 at 11:48 PM, Danny Thorpe < Danny.Thorpe@software.dell.com > wrote: Since the spec doesn’t say how that policy combining algorithm is to be specified to the PDP (the spec doesn’t cover much of anything of PDP configuration), I think we have to consider it a vendor specific implementation detail.   To avoid having to create an external config setting in our PDP implementation, we simply require that the PDP be assigned exactly one policyset, so that the selection of combining algorithm is explicit and authored in the usual policy admin environment.   -Danny   Danny Thorpe Authorization Architect Dell Identity & Access Management, Quest Software   Quest Software is now part of Dell.   From: xacml@lists.oasis-open.org [mailto: xacml@lists.oasis-open.org ] On Behalf Of Hill, Richard C Sent: Tuesday, June 25, 2013 1:34 PM To: xacml@lists.oasis-open.org Subject: [xacml] Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec   The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.   The XACML spec states:   7.17 Authorization decision In relation to a particular decision request , the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets . The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets .   Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?   Let me walk through a scenario:   When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.   In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?   - Richard Hill     -- David Brossard, M.Eng, SCEA, CSTP Product Manager +46(0)760 25 85 75 Axiomatics AB Skeppsbron 40 S-111 30 Stockholm, Sweden http://www.linkedin.com/companies/536082 http://www.axiomatics.com http://twitter.com/axiomatics

Hi Richard, On 26/06/2013 6:34 AM, Hill, Richard C wrote: The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list. The XACML spec states: *7.17 Authorization decision * In relation to a particular */decision request/*, the */PDP /*is defined by a */policy-combining algorithm /*and a set of */policies /*and/or */policy sets/*. The */PDP /*SHALL return a response */context /*as if it had evaluated a single */policy set /*consisting of this */policy-combining algorithm / *and the set of */policies /*and/or */policy sets/*. *_Question:_*Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm? Let me walk through a scenario: When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A. In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses? In ViewDS the combining algorithm is part of the PDP configuration. It defaults to deny-overrides if it is not explicitly set. We distinguish policy sets as being either primary or secondary. The primary policy sets are evaluated and combined according to the configured combining algorithm. The secondary policy sets will be used only if referenced from another policy set that is evaluated. Policies are all effectively secondary. Thus the PDP acts as though it has a virtual policy set as the starting point with the configured combining algorithm and all the primary policy sets as children. When importing policy from a system that distinguishes one policy set as the starting point, that policy set would be primary and all the rest would be secondary. The default combining algorithm of deny-overrides becomes the identity mapping when there is only one child/primary. Regards, Steven - Richard Hill

Hi Richard,   Our implementation has an implicit root PolicySet with a configurable combining algorithm, which defaults to deny-overrides. Any Policy(Set) that is added and is not explicitly part of another PolicySet is implicitly part of the root PolicySet.   Thanks, Ray     From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Hill, Richard C Sent: Tuesday, June 25, 2013 10:34 PM To: xacml@lists.oasis-open.org Subject: [xacml] Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec   The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.   The XACML spec states:   7.17 Authorization decision In relation to a particular decision request , the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets . The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets .   Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?   Let me walk through a scenario:   When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.   In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?   - Richard Hill