asap://XACML. jury-rigged

asap://www.XACML.jury-rigged

Client PEP PDP

Rule 1 Rule 2 etc Policy 1 PolicySet Rule 1 Rule 2 etc Policy 2 Rule 1 Rule 2 etc Policy 3

Target Condition Rule

Subject Resource Action Target

<Subject> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> + </Subject> + Subject can have one or more ‘Attribute’

<Resource> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> 1 </Resource> 1 Resource can have only 1 ‘Attribute’

<Action> <Attribute AttributeId=“” DataType =“” <AttributeValue> … </AttributeValue> </Attribute> + </Action> + Action can have one or more ‘Attributes’

Confused about Target? • Either inside Policy/PolicySet or Rule • When inside Policy/PolicySet, Target provides more of meta-data. • When inside a Rule, Target provides info required to process the rule.

There are 3 or more XML files in the works each time a request goes to PEP Policy DB 3. Compare policy from step 2 with the ones in DB. (the third or more xml files) 4. Permit/Deny XML file (2nd XML file) Client (Requestor) PEP PDP • Authorization Request in day to day format 2. Authorization Request translated into XML format (1st XML file)

An example of these 3 XML filesRequest XML File Taken from http://sunxacml.sourceforge.net/guide.html#xacml-target Request XML File

An example of these 3 XML filesPolicy XML File This Target provides meta-data

An example of these 3 XML filesPolicy XML File This Target provides rule processing info

An example of these 3 XML filesResponse/Decision XML File

Resources and References • Sun’s XACML Implementation http://sunxacml.sourceforge.net/

asap://XACML. jury-rigged