Jump to: navigation, search

Access Control Teleconf 20080520

Notes from 20080509 Teleconf

  • What is in the authZ Subject ID?
    • should be able to specify "age is 21 or greater"
    • Duane: in xacml the subject or resource can be by name or by query (ie attribute values)
      • The query form becomes fairly unmanageable to write by hand
    • Drummond: could we just use rdf triples? would that be sufficient?
    • Let's make some statements about what an AuthN Materials results in:
      • AuthN Materials (when successfully authenticated) will result in entities (virtual or not) that follow the Higgins Data Model.
        • This way, we can make statements like "age => 21" in an access control policy statement's subject identifier or resource identifier.
  • How do we say "the subject is anyone as long as they are authenticated"?
    • This might require another bit of data on an access control statement.
      • XACML has something called "conditions"
  • What are the semantics of "policy combining"?
    • This is when different policies make (perhaps conflicting) statements regarding a subject or resource.
    • In XACML, there is a policy set for each PDP. A policy set contains policies and perhaps further policy sets. In addition, it has combination rules.
  • How does an app know what can be placed in a given CP's AuthZ policy statement?
    • What kinds of actions, conditions, subjects, resources... can be managed?
    • Given a resource and subject, what actions are allowed?