[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Re: Proposal (no longer a mystery!) for the path forward...
Several points:
1. It is important to realize that the unit of policy
administration is the "policy", and not the "rule". We need
to focus on what will make a "policy" easy to create,
reference, index, etc.
2. Discussion item 4): Why is a rule "clearly about a resource,
an action, or a subject"? How about where a rule is about a
resource and a subject, or about a resource and an attribute
of a subject?
Examples:
- "grant if subject security clearance level is greater than
or equal to resource security classification level"
- "grant if resource is employee-status-change-from, action is
"approve", resource signer role is "VP", and employee age is
greater than 55"
3. Discussion item 1): "It is not possible that a policy appears
to be applicable based on its applicability element, but
turns out not to be applicable once evaluation of the
contained rules takes place."
This is true only if the predicate in the applicability
element is sufficiently expressive that it can return FALSE for
ANY authorizationDecisionQuery to which the policy does not
apply. The simple predicates we have been discussing for the
applicability element are not sufficiently expressive: they
MUST return TRUE for ANY authorizationDecisionQuery to which
the policy applies, but MAY return TRUE for an
authorizationDecisionQuery to which the policy does not apply.
Example:
- The Office of Age Discrimination in the Human Resource
Department of Corporation S makes policies that will help
prevent age discrimination lawsuits. Such lawsuits arise
only with respect to employees who are over 55 years of
age. To ensure that such an employee is not terminated
without full review at a high level of management, the
Office of Age Discrimination issues the following policy:
"grant if resource is employee-status-change-from, action is
"approve", resource signer role is "VP", and employee age is
greater than 55"
This policy applies ONLY to employees whose age is greater
than 55. The Office of Age Discrimination does not know if
additional policies should also apply to employees over 55
(such as regular employee policies), and it does not know
what policies should apply to employees who are not over
55.
But the current "applicability rule" can not express the
fact that the policy only applies to employees who are over
55.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC