Simulated FAQ What is an access control policy?
An access control policy states which actions each entity (a person, process, thread, etc.) may perform on each resource.
What is XACML?
XACML is the eXtensible Access Control Markup Language, an
OASIS standard. XACML is used to specify an access control policy in a declarative style. More information about XACML can be found
here.
Does Margrave verify XACML syntax?
NO! It is unknown what Margrave will do when given a XACML file with syntax errors: it might give a somewhat helpful error message, it might crash, or even worse, it might look like it is working but give you incorrect results. Please insure that your syntax is correct before using Margrave. Tools to perform syntax checking are available
here (see the bottom of the page).
What parts of XACML does Margrave (not) cover?
Is the subset of XACML that Margrave covers useful?
We think so. The subset of XACML supported can easily express role-based access-control policies and more.
Should I use Margrave to ensure that the policy I wrote is correct?
You should NOT relay on Margrave for verification of important policies since Margrave is just a research prototype. However, Margrave can even in it current state be useful since if Margrave does show that a property does not hold, than you should clearly check over the policy to see if this is indeed the case (and if Margrave was incorrect, please file a bug report). What is more dangerous is if you presume that just because Margrave found no problems, there are no problems.
What should I do if I find a bug in Margrave or would like a new feature?
Please email mtschant 'at' cs.brown.edu.
Why the name Margrave?
A margrave is a lord or keeper of borders: that is, a medieval access-control manager.
Parse Errors There are three types of errors you might get when parsing in an XACML policy file:
- XML error: the file contains illegal XML. These errors are produced by the SXML library used to read in the file. An example of what one of these error massages is below: read-xml: parse-error: unclosed `PolicySet' tag at [2.0/40 4.99/402]
- XACML Syntax Error: The file violates the syntactic rules of XACML. For example you might get: get-attribute: no attribute found for PolicySetId in (PolicySet ((PolicyCombiningAlgId urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides) [...] where [...] is the rest of an SXML representation of the offending PolicySet.
- Support Error: The file uses parts of XACML that is not supported by Margrave.
You might also get a warning:
- Support Warning: The files uses parts of XACML that is not supported, but Margrave can continue without changing the results of the analysis by discarding some of the file.
Depending on your goals, it might be safe to continue despite receiving a Support Warning.