asap:// jury-rigged

ClientPEP PDP

PolicySet Rule 1 Rule 2 etc Rule 1 Rule 2 etc Rule 1 Rule 2 etc Policy 1 Policy 2 Policy 3

Target Condition Rule

Subject Resource Action Target

<Attribute AttributeId=“” DataType =“” … + + Subject can have one or more ‘Attribute’

<Attribute AttributeId=“” DataType =“” … 1 1 Resource can have only 1 ‘Attribute’

<Attribute AttributeId=“” DataType =“” … + + Action can have one or more ‘Attributes’

Confused about Target? Either inside Policy/PolicySet or Rule When inside Policy/PolicySet, Target provides more of meta-data. When inside a Rule, Target provides info required to process the rule.

There are 3 or more XML files in the works each time a request goes to PEP Client (Requestor) PEPPDP Policy DB 1.Authorization Request in day to day format 2. Authorization Request translated into XML format (1 st XML file) 4. Permit/Deny XML file (2 nd XML file) 3. Compare policy from step 2 with the ones in DB. (the third or more xml files)

An example of these 3 XML files Request XML File Taken from Request XML File

An example of these 3 XML files Policy XML File This Target provides meta-data

An example of these 3 XML files Policy XML File This Target provides rule processing info

An example of these 3 XML files Response/Decision XML File

Resources and References Sun’s XACML Implementation