[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Re: Proposal (no longer a mystery!) for the path forward...
Several points: 1. It is important to realize that the unit of policy administration is the "policy", and not the "rule". We need to focus on what will make a "policy" easy to create, reference, index, etc. 2. Discussion item 4): Why is a rule "clearly about a resource, an action, or a subject"? How about where a rule is about a resource and a subject, or about a resource and an attribute of a subject? Examples: - "grant if subject security clearance level is greater than or equal to resource security classification level" - "grant if resource is employee-status-change-from, action is "approve", resource signer role is "VP", and employee age is greater than 55" 3. Discussion item 1): "It is not possible that a policy appears to be applicable based on its applicability element, but turns out not to be applicable once evaluation of the contained rules takes place." This is true only if the predicate in the applicability element is sufficiently expressive that it can return FALSE for ANY authorizationDecisionQuery to which the policy does not apply. The simple predicates we have been discussing for the applicability element are not sufficiently expressive: they MUST return TRUE for ANY authorizationDecisionQuery to which the policy applies, but MAY return TRUE for an authorizationDecisionQuery to which the policy does not apply. Example: - The Office of Age Discrimination in the Human Resource Department of Corporation S makes policies that will help prevent age discrimination lawsuits. Such lawsuits arise only with respect to employees who are over 55 years of age. To ensure that such an employee is not terminated without full review at a high level of management, the Office of Age Discrimination issues the following policy: "grant if resource is employee-status-change-from, action is "approve", resource signer role is "VP", and employee age is greater than 55" This policy applies ONLY to employees whose age is greater than 55. The Office of Age Discrimination does not know if additional policies should also apply to employees over 55 (such as regular employee policies), and it does not know what policies should apply to employees who are not over 55. But the current "applicability rule" can not express the fact that the policy only applies to employees who are over 55. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC