[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

My action items (incomplete)

To: hrac-rfp@cs.fiu.edu
Subject: My action items (incomplete)
From: blakley@us.ibm.com
Date: Tue, 23 Feb 1999 16:12:20 -0600
Sender: owner-hrac-rfp@cs.fiu.edu



All:

Here are some of my action items:

Provide the text discussion that HRAC is a subset of a reference monitor
(RM) and thus shouls propagate exceptions
to its clients who are the other part of the RM:

The RAD AccessDecision object sometimes passes exceptions to callers
indicating that it's encountered an internal
error and is not able to make an access decision.  This is different from
the behavior of many operating systems, which
have a default-deny or a default-grant policy when an internal failure
occurs, but don't report the failure to their callers.
This difference arises because RAD is an access decision service, not an
access control service.  In all cases, the
application which calls RAD is responsible for enforcing the policy
decision which RAD makes.  Therefore, the RAD
client application is the right place to make the policy enforcement
decision about what should be done when RAD is not
able to make a policy decision.

Explain in the spec why you need evaluator names for DC:

DecisionCombinator objects encapsulate policy combination functions.
Functions consisting of a global combinator
operator are easy to implement; an example of such a policy is:

     AND ((Evaluator_1 = GRANT), (Evaluator_2 = GRANT), ...)

This policy can be expressed as an application of a global combinator
("AND" in this case) to the results returned by
ALL the PolicyEvaluator objects passed to the DecisionCombinator.

The thing which makes this kind of policy easy to implement is that it's
not necessary to know anything about the
result returned by any specific PolicyEvaluator object, and hence the
PolicyEvaluator objects can all be treated
the same and can be called in any order.

The disadvantages of this kind of policy are:

     * They aren't very expressive (there are lots of kinds of real-world
policies which can't be expressed
        using only a global combinator)
     * They are inefficient.  It's always necessary to call all the
PolicyEvaluator objects passed to the
        DecisionCombinator object in order to make a decision.

An important goal of the DecisionCombinator design is to support complex
policies which can be efficiently evaluated.
A policy like the following can't be expressed using only a global
combinator, but should be implementable as a
DecisionCombinator object:

     (Evaluator_1 result is GRANT) OR
     ((Evaluator_2 result is GRANT) AND (Evaluator_3 result is (GRANT OR
DON'T CARE)))

Note that this policy can be short-circuit evaluated: if the
DecisionCombinator calls Evaluator_1 and it returns GRANT as a decision
result, then it doensn't need to call Evaluator_2 and Evaluator_3 at all.

However, In order to support evaluation of this policy, the
DecisionCombinator object needs to be able to match the PolicyEvaluator
objects passed to it as input to the formal parameters in this expression.
This is why the DecisionCombinator interface accepts as
input a structure containing both a reference to a PolicyEvaluator object
and the name of that PolicyEvaluator object; it uses the
PolicyEvaluator name to figure out which evaluators to call in which order;
it uses the PolicyEvaluator object's reference to call
the object and request a decision result, and then it uses the
PolicyEvaulator object's name again to plug the decision result into the
policy
combinator expression above.

Define semantics of the pattern

<in next version of this note>

Specify that we leave for implementors how a policy evaluator locator
combines evaluators if the resource name matches more than one pattern

If a name matches more than one pattern for which policy evaluators have
been registered with the PolicyEvaluatorLocator object, the
PolicyEvaluatorLocator will return the union (without duplicates) of the
evaluators on the lists of all matched patterns in response to a
get_policies request.

Specify how the problem of finding out what combinator should be used in
case a resource name matches more than one pattern

If a resource name matches more than one pattern registered with a
PolicyEvaluatorLocator object, and not all matched patterns specify the
same DecisionCombinator object, then the PolicyEvaluatorLocator object's
implementation will return one of the DecisionCombinator objects
specified by the matched patterns; which of the eligible DecisionCombinator
objects is returned is up to the implementor.

--bob

Bob Blakley
IBM Lead Security Architect
Voice: +1 (512) 838-8133
Fax:    +1 (512) 838-0156
Post:    11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA
Internet: blakley@us.ibm.com


----------------
Broadcast message to hrac-rfp from blakley@us.ibm.com.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.

Follow-Ups:
- Re: My action items (incomplete)
  - From: Carol Burt <cburt@2ab.com>

Prev by Date: Re: exceptions
Next by Date: conf call info
Prev by thread: Bob's precondition/postcondition wording
Next by thread: Re: My action items (incomplete)
Index(es):
- Date
- Thread