Google Site Search


Wednesday, June 13, 2007

Oasis XACML Interoperability at Burton getting close

It is probably 2 weeks left for the Oasis Interoperability Event at the Burton Catalyst Conference. I have already met Tony and Hal. I am hoping to meet Bill, Anne, Seth, Rich, Prateek, Anil (Securent), Dennis and others on the XACML TC.

Here is a summary I pulled for the interop exercise.
Abbreviations: PEP stands for Policy Enforcement Point and PDP stands for Policy Decision Point.

Here is a description of the interop: Two Use Cases each with potential multiple scenarios

Use Case: Authorization Decision

The Authorization Decision Interop will demonstrate that XACML 2.0 authorization decision requests generated by the */PEP/* of */Vendor A/* (*/PEP-A/*) are properly evaluated by the */PDP/* of */Vendor B /*(*/PDP-B/*), where Vendor A and Vendor B may be any of the vendors participating in the Interop.

Scenario 1: Authorization Decision: Customer Access
Customer from a web browser provides user name and password. After authentication, the PEP packages the customer username, customerId and an operation of "ViewAccount" in the context of the CustomerAccount web application in a xacml request and passes to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 2: Authorization Decision: Customer Transaction
Customer tries to purchase 500 shates of XYZ stock. The PEP gathers information on the transaction (namely, operation of "Buy" and the number of shares "500") and creates a xacml request with other contextual information and passes it to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 3: Authorization Decision: Account Manager Access
An account manager needs to approve a request. The PEP gathers information about the account manager and passes to a PDP to evaluate access to the account manager.

Scenario 4: Authorization Decision: Account Manager Approval
Account Manager needs to approve the stock purchase. The PEP gathers information about the Account Managers approval and then asks the PDP to evaluate whether the approval should go through.

Use Case: Policy Exchange
XACML Policies generated by one vendor are accessible and usable by the PDP of other vendors.

No comments: