<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Overview of Authorization Policy Languages — v2.1.0-beta</title>
<link rel="stylesheet" href="../_static/dataone.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '2.1.0-beta',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../_static/mathjax_pre.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="//cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-MML-AM_CHTML"></script>
<script type="text/javascript" src="../_static/sidebar.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Authorization and Authentication in DataONE" href="AuthorizationAndAuthentication.html" />
<link rel="prev" title="Identity, Authentication, and Authorization Requirements" href="AuthnAndAuthzRequirements.html" />
<link media="only screen and (max-device-width: 480px)" href="../_static/small_dataone.css" type= "text/css" rel="stylesheet" />
</head>
<body role="document">
<div class="version_notice">
<p>
<span class='bold'>Warning:</span> These documents are under active
development and subject to change (version 2.1.0-beta).<br />
The latest release documents are at:
<a href="https://purl.dataone.org/architecture">https://purl.dataone.org/architecture</a>
</p>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="AuthorizationAndAuthentication.html" title="Authorization and Authentication in DataONE"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="AuthnAndAuthzRequirements.html" title="Identity, Authentication, and Authorization Requirements"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html"></a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" ><no title></a> »</li>
<li class="nav-item nav-item-2"><a href="Authorization.html" accesskey="U">Authorization in DataONE</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="overview-of-authorization-policy-languages">
<h1>Overview of Authorization Policy Languages<a class="headerlink" href="#overview-of-authorization-policy-languages" title="Permalink to this headline">¶</a></h1>
<table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Author:</th><td class="field-body">Matt Jones</td>
</tr>
<tr class="field-even field"><th class="field-name">Status:</th><td class="field-body">Incomplete Draft, Work in Progress being Edited</td>
</tr>
</tbody>
</table>
<p>This document provides an overview of authorization technologies that have been
considered as part of the design of the DataONE authorization and access
control system.</p>
<p>Several open technologies can be used to express the policies for describing
access control rules for resources and services in DataONE.</p>
<div class="section" id="eml-access">
<h2>eml-access<a class="headerlink" href="#eml-access" title="Permalink to this headline">¶</a></h2>
<p>Ecological Metadata Language (EML) is in common use in the ecological and
environmental monitoring community, and includes a simple module
(eml-access.xsd) for describing access control policies for data resources. It
allows both additive and subtractive rules, which allows one to either build up
a set of allowed permissions and then subtract a few (e.g., all of the members
of group ‘data-managers’ except ‘john), or to deny all of the members of a
group and then add a few. After years of experience using EML within the KNB
network, it has become clear that this ability to modify the ruleset using
different approaches for combining the rules is unnecessary to express the
typical rules needed in the stakeholder community. The complexity also makes
it more difficult for users to understand the implications of the access rules
that they write, and that even with use of a GUI, many users compose access
expressions that do not capture their intent. Here is a simple eml-access
block:</p>
<div class="highlight-xml"><div class="highlight"><pre><span></span><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><eml:access</span>
<span class="na">xmlns:eml=</span><span class="s">"eml://ecoinformatics.org/access-2.1.0"</span>
<span class="na">xmlns:xs=</span><span class="s">"http://www.w3.org/2001/XMLSchema"</span><span class="nt">></span>
<span class="nt"><eml></span>
<span class="nt"><access</span>
<span class="na">authSystem=</span><span class="s">"ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org"</span>
<span class="na">order=</span><span class="s">"allowFirst"</span><span class="nt">></span>
<span class="nt"><allow></span>
<span class="nt"><principal></span>uid=alice,o=NCEAS,dc=ecoinformatics,dc=org<span class="nt"></principal></span>
<span class="nt"><permission></span>read<span class="nt"></permission></span>
<span class="nt"><permission></span>write<span class="nt"></permission></span>
<span class="nt"><allow></span>
<span class="nt"></access></span>
<span class="nt"><eml></span>
</pre></div>
</div>
<p>One of the shortcominings of eml-access is that it assumes that the linkage to
a particular resource is expressed elsewhere (typically the access element is
embedded in a broader EML document, thereby implicitly expressing which
resources it applies to), and so it contains no mechanism for referencing the
resource that is to be controlled. Experience with using eml-access in EML
documents indicates that this mechanism is cumbersome and causes inadvertant
creation of multiple versions of objects just to accomplish an access rule
policy change. This is part of the motivation to moving access policies to
SystemMetadata in DataONE (the other reason being that many metadata standards
do not include an access policy descriptor at all).</p>
</div>
<div class="section" id="xacml-3-0">
<h2>XACML 3.0<a class="headerlink" href="#xacml-3-0" title="Permalink to this headline">¶</a></h2>
<p>XACML 3 replaces version 2.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Need to outline the approach to access control in version 3 and contrast it
with versions 2 and 1.</p>
</div>
</div>
<div class="section" id="xacml-2-0">
<h2>XACML 2.0<a class="headerlink" href="#xacml-2-0" title="Permalink to this headline">¶</a></h2>
<p>XACML 3 replaces version 1.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Need to outline the approach to access control in version 2 and contrast it
with version 1.</p>
</div>
</div>
<div class="section" id="xacml-1-0">
<h2>XACML 1.0<a class="headerlink" href="#xacml-1-0" title="Permalink to this headline">¶</a></h2>
<p>The Extensible Access Control Markup Language (XACML) is an OASIS standard for
representing access control policies for resources and services. XACML
specifically includes support for federated systems in an open Internet
environment, is an open standard, and is being widely adopted by various
software systems. The advantages of XACML lie in its completeness and that it
is an industry standard. The disadvantages for DataONE lie in its complexity,
which makes it difficult to author, understand, and consume these documents
because of the large number of permutations which it could support. As an
example, below is the same access rule that is expressed in eml-access expressed
instead in XACML. Note that there are multiple qualified mechanisms and types
for matching values (e.g., string-equals), which is flexible but requires more
implementation complexity than is specified in the DataONE authorization use
cases. With XACML, one could express conditions that include complex functions
and comparisons of arbitrary subject attributes (beyond identity).</p>
<div class="highlight-xml"><div class="highlight"><pre><span></span><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><Policy</span>
<span class="na">xmlns=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:policy"</span>
<span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span>
<span class="na">xsi:schemaLocation=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:policy</span>
<span class="s"> cs-xacml-schema-policy-01.xsd"</span>
<span class="na">PolicyId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:policy"</span>
<span class="na">RuleCombiningAlgId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"</span><span class="nt">></span>
<span class="nt"><Description></span>
Example policy that grants read and write access to a data object.
<span class="nt"></Description></span>
<span class="nt"><Target></span>
<span class="nt"><Subjects></span>
<span class="nt"><AnySubject/></span>
<span class="nt"></Subjects></span>
<span class="nt"><Resources></span>
<span class="nt"><AnyResource/></span>
<span class="nt"></Resources></span>
<span class="nt"><Actions></span>
<span class="nt"><AnyAction/></span>
<span class="nt"></Actions></span>
<span class="nt"></Target></span>
<span class="nt"><Rule</span>
<span class="na">RuleId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:rule"</span>
<span class="na">Effect=</span><span class="s">"Permit"</span><span class="nt">></span>
<span class="nt"><Description></span>
Alice can read and write data object with id doi:10.5432/example.1
<span class="nt"></Description></span>
<span class="nt"><Target></span>
<span class="nt"><Subjects></span>
<span class="nt"><Subject></span>
<span class="nt"><SubjectMatch</span>
<span class="na">MatchId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:function:string-equal"</span><span class="nt">></span>
<span class="nt"><AttributeValue</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">></span>uid=alice,o=NCEAS,dc=ecoinformatics,dc=org<span class="nt"></AttributeValue></span>
<span class="nt"><SubjectAttributeDesignator</span>
<span class="na">AttributeId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:subject:subject-id"</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">/></span>
<span class="nt"></SubjectMatch></span>
<span class="nt"></Subject></span>
<span class="nt"></Subjects></span>
<span class="nt"><Resources></span>
<span class="nt"><Resource></span>
<span class="nt"><ResourceMatch</span>
<span class="na">MatchId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:function:string-equal"</span><span class="nt">></span>
<span class="nt"><AttributeValue</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">></span>doi:10.0000/example_data_identifier<span class="nt"></AttributeValue></span>
<span class="nt"><ResourceAttributeDesignator</span>
<span class="na">AttributeId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:resource:resource-id"</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">/></span>
<span class="nt"></ResourceMatch></span>
<span class="nt"></Resource></span>
<span class="nt"></Resources></span>
<span class="nt"><Actions></span>
<span class="nt"><Action></span>
<span class="nt"><ActionMatch</span>
<span class="na">MatchId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:function:string-equal"</span><span class="nt">></span>
<span class="nt"><AttributeValue</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">></span>read<span class="nt"></AttributeValue></span>
<span class="nt"><ActionAttributeDesignator</span>
<span class="na">AttributeId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:action:action-id"</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">/></span>
<span class="nt"></ActionMatch></span>
<span class="nt"></Action></span>
<span class="nt"><Action></span>
<span class="nt"><ActionMatch</span>
<span class="na">MatchId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:function:string-equal"</span><span class="nt">></span>
<span class="nt"><AttributeValue</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">></span>write<span class="nt"></AttributeValue></span>
<span class="nt"><ActionAttributeDesignator</span>
<span class="na">AttributeId=</span><span class="s">"urn:oasis:names:tc:xacml:1.0:action:action-id"</span>
<span class="na">DataType=</span><span class="s">"http://www.w3.org/2001/XMLSchema#string"</span><span class="nt">/></span>
<span class="nt"></ActionMatch></span>
<span class="nt"></Action></span>
<span class="nt"></Actions></span>
<span class="nt"></Target></span>
<span class="nt"></Rule></span>
<span class="nt"></Policy></span>
</pre></div>
</div>
<p>The XACML ‘Permit’ Effect is equivalent to the eml-access ‘allow’ rule, the
XACML ‘Deny’ Effect is equivalent to the EML ‘deny’ element, the
XACML ‘Subject’ is equivalent to the EML ‘principal’ element, and the XACML
‘Action’ element is equivalent to the EML ‘permission’ element. The XACML
constructs have considerably more flexibility in what is expressed that is
accomplished via the indirection in the model, but this flexibility and
expressive power come at a significant cost in implementation time and software
complexity that would need to be borne by all Member Node implementations.</p>
</div>
<div class="section" id="simplified-policy-language-spl">
<h2>Simplified Policy Language (SPL)<a class="headerlink" href="#simplified-policy-language-spl" title="Permalink to this headline">¶</a></h2>
<p>A simplified syntax that acts as a front-end to XACML policies. See the
<a class="reference external" href="https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage">SimplifiedPolicyLanguage</a> web site for examples of use in the grid community.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="http://dataone.org">
<img class="logo" src="../_static/dataone_logo.png" alt="Logo"/>
</a></p>
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Overview of Authorization Policy Languages</a><ul>
<li><a class="reference internal" href="#eml-access">eml-access</a></li>
<li><a class="reference internal" href="#xacml-3-0">XACML 3.0</a></li>
<li><a class="reference internal" href="#xacml-2-0">XACML 2.0</a></li>
<li><a class="reference internal" href="#xacml-1-0">XACML 1.0</a></li>
<li><a class="reference internal" href="#simplified-policy-language-spl">Simplified Policy Language (SPL)</a></li>
</ul>
</li>
</ul>
<h3>Related Topics</h3>
<ul>
<li><a href="../index.html">Documentation Overview</a><ul>
<li><a href="index.html"><no title></a><ul>
<li><a href="Authorization.html">Authorization in DataONE</a><ul>
<li>Previous: <a href="AuthnAndAuthzRequirements.html" title="previous chapter">Identity, Authentication, and Authorization Requirements</a></li>
<li>Next: <a href="AuthorizationAndAuthentication.html" title="next chapter">Authorization and Authentication in DataONE</a></li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="footer">
<div id="copyright">
© Copyright <a href="http://www.dataone.org">2009-2017, DataONE</a>.
[ <a href="../_sources/design/Authorization-technologies.txt"
rel="nofollow">Page Source</a> |
<a href='https://redmine.dataone.org/projects/d1/repository/changes/documents/Projects/cicore/architecture/api-documentation/source/design/Authorization-technologies.txt'
rel="nofollow">Revision History</a> ]
</div>
<div id="acknowledgement">
<p>This material is based upon work supported by the National Science Foundation
under Grant Numbers <a href="http://www.nsf.gov/awardsearch/showAward?AWD_ID=0830944">083094</a> and <a href="http://www.nsf.gov/awardsearch/showAward?AWD_ID=1430508">1430508</a>.</p>
<p>Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and do not necessarily reflect the views
of the National Science Foundation.</p>
</div>
</div>
<!--
<hr />
<div id="HCB_comment_box"><a href="http://www.htmlcommentbox.com">HTML Comment Box</a> is loading comments...</div>
<link rel="stylesheet" type="text/css" href="_static/skin.css" />
<script type="text/javascript" language="javascript" id="hcb">
/*<! -*/
(function()
{s=document.createElement("script");
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://www.htmlcommentbox.com/jread?page="+escape((typeof hcb_user !== "undefined" && hcb_user.PAGE)||(""+window.location)).replace("+","%2B")+"&mod=%241%24wq1rdBcg%24Gg8J5iYSHJWwAJtlYu/yU."+"&opts=21407&num=10");
if (typeof s!="undefined") document.getElementsByTagName("head")[0].appendChild(s);})();
/* ->*/
</script>
-->
</body>
</html>