asap://xacml. jury-rigged
DESCRIPTION
asap://www.XACML. jury-rigged. Client. PEP. PDP. Rule 1 Rule 2 etc. Policy 1. PolicySet. Rule 1 Rule 2 etc. Policy 2. Rule 1 Rule 2 etc. Policy 3. Target Condition. Rule. Subject Resource Action. Target.TRANSCRIPT
asap://www.XACML.jury-rigged
Client PEP
PDP
PolicySet
Rule 1Rule 2 etc
Rule 1Rule 2 etc
Rule 1Rule 2 etc
Policy 1
Policy 2
Policy 3
TargetCondition
Rule
SubjectResource
Action
Target
<Subject> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> + </Subject>
+ Subject can have one or more ‘Attribute’
<Resource> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> 1 </Resource>
1 Resource can have only 1 ‘Attribute’
<Action> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> + </Action>
+ Action can have one or more ‘Attributes’
Confused about Target?
• Either inside Policy/PolicySet
or Rule
• When inside Policy/PolicySet, Target provides more of meta-data.
• When inside a Rule, Target provides info required to process the rule.
There are 3 or more XML files in the works each time a request goes to PEP
Client(Requestor) PEP PDP
Policy DB
1. Authorization Request in day to day format
2. Authorization Request translated into XML format (1st XML file)
4. Permit/Deny XML file
(2nd XML file)
3. Compare policy from step 2 with the ones in DB. (the third or more xml files)
An example of these 3 XML filesRequest XML File
Taken from http://sunxacml.sourceforge.net/guide.html#xacml-target
Request
XML
File
An example of these 3 XML filesPolicy XML File
This Target provides meta-data
An example of these 3 XML filesPolicy XML File
This Target provides rule processing info
An example of these 3 XML filesResponse/Decision XML File
Resources and References
• Sun’s XACML Implementation
http://sunxacml.sourceforge.net/