Google Site Search

Google
 

Friday, April 6, 2007

XACML Obligations

I have been mulling over the concept of Obligations in the XACML specification. Basically the PDP can send authorization results back to the PEP with a list of obligations that the PEP has to fulfill as part of the authorization request. If the PEP is unable to fulfill an obligation, then it should throw an error.

I thought that when a legitimate authorization request comes to a PEP, which asks the PDP and gets a "PERMIT" with some obligations. If the PEP is unable to perform any obligation, then it flags an error and denies the access. I was WRONG. Anne Anderson from Sun corrected me on this. She basically told me that there is a semantic relationship between the PEP and PAP who decide on the semantics of obligations. So the PEP does a best-effort at an obligation. If it is not able to perform an obligation, it does not mean the access is denied.

UPDATE 1:
Let us think about situations where a PEP may refuse to perform any of the obligations. Let us take the example of logging. Security and Peformance always do not go together well. In a high performant system, fine-grained authorization checks may be an overkill. The administrators may have turned off logging at the PEP level. In this case, the PEP cannot meet an obligation that asks for logging.

10 comments:

James McGovern said...

Best efforts scale better...

Anil Saldanha said...

Hey James(or Jim?)- my issue was whether obligations were really going to affect the authorization decisions. A legitimate access request should not be denied based on the inability of the PEP to meet 1 or more obligations. Glad I got that cleared from Anne.

There is no real mention of any semantic relationship between the PEP and PAP in the XACML specifications. Only when you ponder over the possibilities (maybe after intense thought), will you figure it out.

Anil Saldanha said...

U still at Hartford?

Unknown said...

can XACML be used in Social Networking Sites for access control purposes between the users?

Unknown said...

Can XACML be used for expressing access control between users in social networking sites?

Anil Saldanha said...

I am sure you can use XACML for access control in social n/w

Francisco de Gouveia said...

That's interesting, but what about this sentence, written in the specification: "PEPs that conform with v2.0 of XACML are required to deny access unless they understand and can discharge all of the elements associated with the applicable policy." - access_control-xacml-2.0-core-spec-os, page 16 - 2.12 Actions performed in conjunction with enforcement

Francisco de Gouveia said...

Sorry, there is a tag Obligations missing in the sentence. Probably Blogger took it away as its not an allowed html tag.

Correction: "PEPs that conform with v2.0 of XACML are required to deny access unless they understand and can discharge all of the Obligations elements associated with the applicable policy."

Anil Saldanha said...

You are correct.

The term "Obligation" was chosen that it MUST be performed as part of the access check. From the spec perspective, there is a requirement that the PEP honor all obligations.

Practically, the PEP/PDP decide on the set of obligations as part of access decisions. It is not like somebody hosts a PEP and talks to a PDP. There is some out-of-band agreement between the parties about the obligation set. Policies can be crafted based on individual PEP. It is completely utopian IMO to have a loosely coupled PEP/PDP relationship.

It is my opinion that just because a PEP is unable to perform a low priority obligation, that it has to deny the access. What constitutes low priority is probably at the hands of the PEP side of the house.

Obligations are definitely a gray area.

Some work:
http://wiki.oasis-open.org/xacml/ProposalForObligations

http://wiki.oasis-open.org/xacml/DiscussionOnObligations

Francisco de Gouveia said...

Thank you very much for your time and clarification.

I understand and i agree with you about PEP/PDP relationship, they should be in line, otherwise it would make no sense.

Best regards