Reduction of deny

This page presents alternatives for how to reduce deny decisions. For now they are just quick ideas without much thought given to them, so they might not make sense.

1. Identical to reduction of permit

According to this alternative, whenever a deny value is associated with an untrusted issuer, it is reduced with the same administrative request as a permit value. This means that the administrative authority to create a "permit policy" always goes together with the authority to create a "deny policy".

2. Make the decision part of the situation

The decision becomes part of the situation. The administrative requests to reduce a permit could look something like this:

<Request>
  <Subject
    SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>Alice</AttributeValue>
    </Attribute>
    <Attribute
      AttributeId="group"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>employee</AttributeValue>
    </Attribute>
  </Subject>
  <Resource>
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>printer</AttributeValue>
    </Attribute>
  </Resource>
  <Action>
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>print</AttributeValue>
    </Attribute>
  </Action>
  <Delegate>
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>Mallory</AttributeValue>
    </Attribute>
  </Delegate>
  <Decision Decision="Permit"/>
</Request>

For a deny, replace the "Permit" at the end with "Deny".

An administrative policy which allows permit could look like this:

<Policy PolicyId="Policy 1"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
            DataType=http://www.w3.org/2001/XMLSchema#string
              >employee</AttributeValue>
          <SubjectAttributeDesignator 
            AttributeId="group" 
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </SubjectMatch>
      </Subject>
    </Subjects>
    <Resources>
      <Resource>
        <ResourceMatch
          MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue
            DataType="http://www.w3.org/2001/XMLSchema#string">printer</AttributeValue>
          <ResourceAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ResourceMatch>
      </Resource>
    </Resources>
    <Actions>
      <Action>
        <ActionMatch
          MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue
            DataType="http://www.w3.org/2001/XMLSchema#string">print</AttributeValue>
          <ActionAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ActionMatch>
      </Action>
    </Actions>
    <Delegates>
      <Delegate>
        <DelegateMatch
          MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue
            DataType="http://www.w3.org/2001/XMLSchema#string">Carol</AttributeValue>
          <DelegateAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </DelegateMatch>
      </Delegate>
    </Delegates>
    <Decision Decision="Permit"/>
  </Target>
  <Rule RuleId="Rule1" Effect="Permit">
    <Target>
      <Subjects><AnySubject/></Subjects>
      <Resources><AnyResource/></Resources>
      <Actions><AnyAction/></Actions>
    </Target>
  </Rule>
</Policy>

For a administrative policy which allows deny, just replace the "Permit" with a "Deny" in the Decision element. Notice that the Effect of the rule should still be a "Permit" in this case, since we "permit a deny". We could also define that if there is no Decision element, then that target/policy allows reduction of both kinds of decisions.

3. Decisions part of all levels of recursion

In this case we can also support negative administrative rights. An example administrative request:

<Request>
  <Subject
    SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>Alice</AttributeValue>
    </Attribute>
    <Attribute
      AttributeId="group"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>employee</AttributeValue>
    </Attribute>
  </Subject>
  <Resource>
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>printer</AttributeValue>
    </Attribute>
  </Resource>
  <Action>
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>print</AttributeValue>
    </Attribute>
  </Action>
  <IndirectDelegate Decision="Deny">
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>Mallory</AttributeValue>
    </Attribute>
  </IndirectDelegate>
  <Delegate Decision="Permit">
    <Attribute
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="http://www.w3.org/2001/XMLSchema#string">
      <AttributeValue>Bob</AttributeValue>
    </Attribute>
  </Delegate>
</Request>

In the above request, Mallory has denied access to the printer for Alice. Mallory was not trusted for this negative policy, but got authority for it from Bob, so now we are asking whether Bob had the right to grant the right for Mallory to deny access for Alice.

Can anyone think of a use case motivating the complexity of this alternative? On the good side, it is the most general case. :-)

ReductionOfDeny (last edited 2009-08-12 18:06:41 by localhost)