asap://www.XACML.jury-rigged

Client PEP

PDP

PolicySet

Rule 1Rule 2 etc

Rule 1Rule 2 etc

Rule 1Rule 2 etc

Policy 1

Policy 2

Policy 3

TargetCondition

Rule

SubjectResource

Action

Target

<Subject> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> + </Subject>

+ Subject can have one or more ‘Attribute’

<Resource> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> 1 </Resource>

1 Resource can have only 1 ‘Attribute’

<Action> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> + </Action>

+ Action can have one or more ‘Attributes’

Confused about Target?

• Either inside Policy/PolicySet

or Rule

• When inside Policy/PolicySet, Target provides more of meta-data.

• When inside a Rule, Target provides info required to process the rule.

There are 3 or more XML files in the works each time a request goes to PEP

Client(Requestor) PEP PDP

Policy DB

1. Authorization Request in day to day format

2. Authorization Request translated into XML format (1st XML file)

4. Permit/Deny XML file

(2nd XML file)

3. Compare policy from step 2 with the ones in DB. (the third or more xml files)

An example of these 3 XML filesRequest XML File

Taken from http://sunxacml.sourceforge.net/guide.html#xacml-target

Request

XML

File

An example of these 3 XML filesPolicy XML File

This Target provides meta-data

An example of these 3 XML filesPolicy XML File

This Target provides rule processing info

An example of these 3 XML filesResponse/Decision XML File

Resources and References

• Sun’s XACML Implementation

http://sunxacml.sourceforge.net/