(XACML usage for policies and policy decision-making is not required for use in UMA. There's no barrier to combining XACML and UMA usage, but it's certainly possible to use UMA with whatever style of policy handling/engine you like.) For a long time, we've talked about requesting party-*dependent* claims/conditions, such as caring who Bob is or other attributes about him, etc., and requesting party-*independent* claims/conditions, such as the time of day, what shift Dr. Bob is working, the phase of the moon :-), etc. The example brought up here is a case of an RqP-independent condition, and in fact it's also *resource owner-dependent*. I don't think it's strictly required for Alice to run her own AS in order for it to know such information. However, the AS she uses does have to have the ability to get access to those inputs in some fashion, so something like a "smart home" AS form factor could be good for that. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Fri, Jun 10, 2016 at 1:54 PM, John Wunderlich <john@wunderlich.ca> wrote:
I’ll defer to the more technical people, but my understanding of UMA (and OAUTH?) as currently speed is that PEP’s are out of scope of the spec.
From: Biswas Vivek <vivek_biswas@yahoo.com> <vivek_biswas@yahoo.com> Reply: Biswas Vivek <vivek_biswas@yahoo.com> <vivek_biswas@yahoo.com> Date: June 10, 2016 at 3:44:50 PM To: Kirkpatrick Gil <gil.kirkpatrick@viewds.com> <gil.kirkpatrick@viewds.com>, Gropper Adrian <agropper@healthurl.com> <agropper@healthurl.com>, Chowdhury Mohammad <mjchowdhury@swin.edu.au> <mjchowdhury@swin.edu.au> Cc: wg-uma@kantarainitiative.org <wg-uma@kantarainitiative.org> <wg-uma@kantarainitiative.org> Subject: Re: [WG-UMA] Capturing Resource Owner's Dynamic Context
Hi Jabed,
The responsibility of creating dynamic XACML context is of PEP(Policy Enforcement Point). You may look into OpenAz PEP implementation for the same.
Regards Vivek Biswas, CISSP Oracle
------------------------------ *From:* Gil Kirkpatrick <gil.kirkpatrick@viewds.com> *To:* 'Adrian Gropper' <agropper@healthurl.com>; 'Mohammad Chowdhury' < mjchowdhury@swin.edu.au> *Cc:* wg-uma@kantarainitiative.org *Sent:* Friday, June 10, 2016 12:24 PM
*Subject:* Re: [WG-UMA] Capturing Resource Owner's Dynamic Context
XACML provides for contextual attributes as well, either provided in the authorization request, or obtained out of band by the context handler.
-g
*From:* wg-uma-bounces@kantarainitiative.org [mailto: wg-uma-bounces@kantarainitiative.org] *On Behalf Of* Adrian Gropper *Sent:* Thursday, June 9, 2016 11:02 PM *To:* Mohammad Chowdhury <mjchowdhury@swin.edu.au> *Cc:* wg-uma@kantarainitiative.org *Subject:* Re: [WG-UMA] Capturing Resource Owner's Dynamic Context
Hi Jabed,
This falls under my favorite use-case for UMA because it calls for Alice to run her own UMA AS. That UMA AS can use as much context as it wants in making authorization decisions and UMA would work just fine.
In the past, I have made a similar argument using the door lock to the downstairs of Alice's apartment as the RS instead of the camera. Alice's mom seeks entry using her smartphone as a client and needs to get a token for the apartment lock from Alice's AS. (The camera that looks at Alice's mom when she requests entry would be a shared resource owned by the building, just like the downstairs lock.)
My point is simply that every Alice has to be able to specify her own AS as a means of hiding her policies behind the UMA protocol. How the AS decides to calculate on her policies is completely out of band from UMA.
This is also core to our #wideeco work item.
Cheers,
Adrian
On Friday, June 10, 2016, Mohammad Chowdhury <mjchowdhury@swin.edu.au> wrote:
Dear All,
I am new to this group and spare me if I am asking a dumb question.
I am wondering, Is there any way in UMA to capture the dynamic context of the resource owner to provide context-aware authorization?
I have the following use case,
“Alice’s mom will get access to online CC camera hosted in Alice’s apartment, Only if Alice is out of her apartment “
I know XACML is used to capture the context of the Requester (e.g., subject of XACML, in this case Alice’s Mom). But I do not know is there any mechanism in XACML to capture the dynamic context (in our case, context is location) of the resource owner (in this case, Alice ) for authorization decision.
Can anyone advise me on this ?
Any comment will be appreciated.
Kind regards, Jabed
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma