Ticket #1103 (closed task: fixed)

Opened 10 years ago

Last modified 10 years ago

[S] Port MSI Policy Decision Point to XACML 2.0

Reported by: pjkersha Owned by: pjkersha
Priority: desirable Milestone: CMIP5 Security
Component: security Version:
Keywords: security, XACML Cc:


The current PDP uses a bespoke XML Policy developed for NDG MSI. Port to XACML 2.0 to enable:

  • Default permit overrides policy. Currently, the policy is implicitly deny overrides: access is allowed unless a rule matches and sets otherwise. This is more difficult to manage than a permit overrides where access can be denied for all requests unless a given rule matches and permits access
  • support for action types. This will allow policy to be restricted based on an action requested, e.g. read, write. This is required for ESG/CMIP5 and will be useful for more fine grained control for OWS and RESTful services.
  • standardisation of policy

A subset of the spec should be implemented to cover only the features that are needed. This can be extended.

The fallback is the current MSI PDP.

Change History

comment:1 Changed 10 years ago by pjkersha

  • Status changed from new to closed
  • Resolution set to fixed

Completed and deployed

Note: See TracTickets for help on using tickets.