What is an access control policy?
An access control policy states which actions each entity (a person, process, thread, etc.) may perform on each resource.
What is XACML?
XACML is the eXtensible Access Control Markup Language, an OASIS
standard. XACML is used to specify an access control policy in a declarative style. More information about XACML can be found here
Does Margrave verify XACML syntax?
NO! It is unknown what Margrave will do when given a XACML file with syntax errors: it might give a somewhat helpful error message, it might crash, or even worse, it might look like it is working but give you incorrect results. Please insure that your syntax is correct before using Margrave. Tools to perform syntax checking are available here
(see the bottom of the page).
What parts of XACML does Margrave (not) cover?
Is the subset of XACML that Margrave covers useful?
We think so. The subset of XACML supported can easily express core role-based access-control policies. Although this subset does not provide data reasoning, the Continue Example
shows how one can remove data reasoning from the policy and express the results of such reasoning in the supported subset of XACML.
Should I use Margrave to ensure that the policy I wrote is correct?
You should NOT relay on Margrave for verification of important policies since Margrave is just a research prototype. However, Margrave can even in it current state be useful since if Margrave does show that a property does not hold, than you should clearly check over the policy to see if this is indeed the case (and if Margrave was incorrect, please file a bug report). What is more dangerous is if you presume that just because Margrave found no problems, there are no problems.
Why the name Margrave?
A margrave is a lord or keeper of borders: that is, a medieval access-control manager.
If you are having trouble running Margrave you can try running the example "simple.scm" and see if the error you get matches any we have gotten and if so try what we did to fix it:
reference to undefined identifier: load-relative
Using the language level "Standard (R5RS)"
reference to undefined identifier: include
Using the language level "Textual" or "Graphical".
unknown module: margrave
Using the language level "Expander".
module-language: only module expressions are allowed in: (load-relative "../../code/Margrave.scm"
Using the language level "Module".
parse-compoundlaw: A policy or policy set was needed. Instead PolicySet was found.
Did not turn on case sensitivity.
Switch to language level "Pretty Big" with case sensitivity on. See the documentation page
load-extension: couldn't open "<some path>/Margrave/examples/simple/../../code/AccessControl/import.so" (<some path>/Margrave/examples/simple/../../code/AccessControl/import.so: cannot open shared object file: No such file or directory)
Forgot to run the make file.