|
Q1.
|
What is XML Access Control?
|
|
A1.
|
XML Access Control aims at providing XML documents with a sophisticated access
control model and access control specification language. With this access control technology,
the access control policies control how an XML document appears. The policies also insure the document is securely updated
as specified by the security programmer.
|
|
Q2.
|
What is differences from usual access control list (ACL)?
|
|
A2.
|
There are several differences:
- XPath expressions can be used as object references with some limitations.
- XACL supports multiple
policy semantics besides the "closed policy" that is
supported in popular commercial products.
- The semantics of the
access control rules are extended compared to the usual ACLs.
Common ACLs use a three-tuple format like <object, subject, action>.
XACL extends this to <object, subject, action, provisional_action>,
which we call provisional authorization model.
The fourth primitive describes provisions of (conditions attached to) the access decision.
|
|
Q3.
|
What is the difference from the XSLT?
|
|
A3.
|
The primary advantage of using XACL is that it enables users to specify
flexible access control policies. XACL also generates access decisions
in response to access requests. It is hard to write a generic
evaluation algorithm using XSLT. However,
once the access decisions are generated, an XSLT processor can be incorporated
in the "Request Execution Module" of the provisional
authorization architecture. For this purpose, an "xslt" provisional action
could be specified in the access control policy, although this function is not
supported in this release.
|
|
Q4.
|
Why does the decision_list.xml contain decisions on multiple elements
while the access request is submitted for one element?
|
|
A4.
|
XACL generates tree-structured access decisions that start from the
referred object (element) in the target XML document every time. If the referred object has any child objects, then decision_list.xml
will contain multiple decisions.
|
|
Q5.
|
How is "grant" or "deny" decided for the target object?
|
|
A5.
|
The evaluation process consists of three steps: matching, propagation,
and conflict resolution. In the matching step, all rules that are relevant to the referred object
are scanned. If there is no rule that is relevant to the referred object,
the system looks for a parent object or child objects according to the propagation policy.
Finally, "grant" or "deny" is returned. Please refer to the XACL Specification Document for detailed information.
|
|
Q6.
|
Is it possible to specify a specific attribute as an object reference in an access control rule?
|
|
A6.
|
Yes, attribute-wise access control is supported. Please refer to the XACL Specification Document for detailed information.
|
|
Q7.
|
Why is a read-not-allowed element still displayed on the right pane of the Documents Viewer?
|
|
A7.
|
Any read-not-allowed element is displayed if it has either a readable attribute or a readable child element. However, note that all child nodes other than such readable elements are hidden. Please refer to the XACL Specification Document for the semantics of "read" action.
|
|
Q8.
|
When is the Document Viewer displayed?
|
|
A8.
|
When access requests with the read action in execute mode are performed ("Start" button is clicked),
the Document Viewer will be popped up and it will display the initiator's view.
In any other cases (e.g. write action, query mode...), the Document Viewer is not popped up.
|
|
Q9.
|
Are there any ways to speed up the XACL Visual Tool?
|
|
A9.
|
Try turning off all of the Policy Viewer, Status Viewer, Access Request Viewer, and Decision List Viewer by selecting the Tool menu bar if they are opened.
|
|
Q10.
|
Is it possible to add application-specific functions, predicates, and provisional actions?
|
|
A10.
|
Yes, Any user can implement application-specific functions, predicates, and provisional actions by implementing the corresponding JAVA interfaces, i.e., FunctionInterface, PredicateInferface, and ProvisionalActionInteraface in the com.ibm.xml.policy.xacl package, respectively..
|
![[XML Security Suite]](xmlsec.gif)