Summary of the issue: During the TC conference call on 29 August 2002, we discussed whether a Request <Resource> MUST contain an Attribute with AttributeId="...:resource-id". Polar argued that the resource might be identified by a more general attribute, such as classification level: the <Subject> is requesting access to all documents with the given classification level. Hal argued that this semantic implies that the PEP is doing its own finer-grained access control, which is not part of the XACML model, and that the specific resource to which access is being requested MUST be specified by its id. Hal also argued that there was a security problem if resource-id is not listed, since the policy might grant access to resources it did not intend. Proposal: I propose that we make minOccurs on <Resource> <Attribute> equal to 0, and use the following wording in describing <Resource> <Attribute>: "At least one Attribute must be present for the <Resource> if <ResourceContent> is not present. Typically, an Attribute with AttributeId equal to "urn:oasis:names:tc:xacml:1.0:resource:resource-id" will be present to identify the resource to which access is being requested." Comments: I do not think Hal's security issue holds up: if a policy wants to grant access only according to resource-id, then its target or conditions will always reference the resource-id attribute. In that case, if the attribute is not present, the policy will not apply or will be indeterminate. My proposal allows for several models of access control. It is up to a policy writer to determine which models the policies conform to. It is up to a PEP to know which attributes must be supplied for a given policy: one way to communicate this is through a "missing-attributes" status code in the <Response> to an initial <Request> that may contain minimal attributes. XACML does not need to specify the model for access control or the model for how required attributes are determined. Anne Anderson -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692