Home > Articles > Software Development & Management

This chapter is from the book XACML Usage Scenarios

XACML Usage Scenarios

The following sections identify a few scenarios where XACML can be used. XACML can be used as a centralized policy store for applications. It can also be used to provide access control for Web services. In addition, it can collaborate with SAML (using the SAML 2.0 profile of XACML 2.0) for implementation of single sign-on and sharing the same access control mechanisms with an enterprise.

Policy Store

XACML is an ideal technology candidate for use in implementing a centralized or distributed policy store because it can act as a data abstraction layer for the policy decision point. It can be implemented on top of any underlying data store platform, including directory server or relational database. If policy data are stored in a directory server or relational database directly, the policy retrieval will be strictly dependent on the underlying data store platform. If there are different policy store products running on heterogeneous data store platforms, then XACML will be a more flexible approach because it is shielded off from the underlying data store platform.

A distributed policy store refers to the scenario where customers partition the types of policies by geographical areas or by functional areas across different servers. This allows easier maintenance by the local administration. It is also possible to have multiple PEPs to process different types of policies by different partitions (for example, by geographical areas). This distributed architecture of the policy system is a common way to scale up the architecture and increase the capability of high-volume policy inquiries.

A centralized policy store refers to the scenario where customers have a single master policy store. This is useful for administering all types of security access control rules centrally. However, it also requires that the centralized policy store be highly available. Otherwise, any outage will be disruptive and impact all business services that rely on the access control policies.

Centralizing Security Policy for Web Services Security

Many Web services management products (such as AmberPoint, Actional, and Flamenco Networks) provide an access control mechanism for routing SOAP messages via a Web services proxy, or a Web services agent (refer to [WebServices-LifeCycle] for details). These proxies (Web services messaging intermediary) or agents (Web server or application server plug-in) usually act as a policy enforcement point that enforces access control policies for XML and SOAP messages. The associated Web services management server (aka policy administration point) allows defining and administering security policies for access to partial or full content of the SOAP messages by user groups or roles. These are ideal candidates for applying XACML technology.

Collaborating with SAML

SAML currently provides a mechanism for specifying policies and authorization decisions. There are constraints in the extensibility and flexibility of how to express rules and policies. In SAML 2.0, SAML enables collaborating with XACML, where SAML can share attributes and authorization decisions expressed in XACML. Details can be found at [SAML2Core] and [XACML2SAML2].

ebXML Registry

When service requesters discover and look up Web services from a service registry, there needs to be a reliable access control mechanism to protect the service registry. Many UDDI service registry implementations use database security for access control. However, the database-centric security approach usually provides primitive access control with read or write attributes. It does not support sophisticated rules, preferences, or even policy negotiation because it does not have a policy language.

ebXML registry open source implementation (http://sourceforge.net/projects/ebxmlrr/) uses XACML to implement an access control mechanism to discover and consume Web services. This allows more flexibility and extensibility in controlling who can access and under which condition the service requester can invoke the Web services. The ebXML registry stores the access-control policies and attributes in the registry and customizes a registry attribute finder module based on Sun’s XACML kit.

Example–XACML Using Sun’s XACML Kit

Sun Microsystems has created an implementation of XACML and released it as an open source project with the 1.0 release of XACML. It is available on sourceforge.net (http://sunxacml.sourceforge.net/). The current XACML Kit version 1.2 supports the XACML 1.x specifications (and most of the XACML 2.0 specification) with APIS for creating, validating, parsing, and evaluating policies and authorization requests. The code is broken into separate packages that support specific elements of the specification and is designed to make it easy to use or extend the XACML specification as needed. For more details, see the Sun XACML programmer’s guide at http://sunxacml.sourceforge.net/guide.html.

Sample Scenario

To illustrate XACML kit, we use a sample scenario where a subscriber of an online portal tries to access their own account profile and check for credit card payment information. Here we have the following requirements:

  • Only a premium member from “coresecuritypatterns.com” can access the URL http://www.onlinestore.com/sensitive/paymentinfo.html for their sensitive account information, including their own credit card payment information.
  • Any other users who do not have the e-mail address domain ended with “coresecuritypatterns.com,” or who are not a premium member, cannot access the credit card information.
  • Successful access will be logged for audit control.
  • Invalid access from users who do not have the valid e-mail address domain “coresecuritypatterns.com” will be also logged for audit control.

The online portal uses XACML for access control. This example will use the following features of XACML policies:

  • Applying the constraint of premium member status for the account information access request. The element <condition> will be used to specify only premium member in the <target> can access the resource.
  • Adding one of the conditions to enable only service requesters with an e-mail address domain “coresecuritypatterns.com” can access the resource.
  • Illustrating the use of <obligation> element to log both successful read access as well as unsuccessful access for audit trail.

Sample Request

Example 7–13 shows a sample service request to access the URL http://www.onlinestore.com/sensitive/paymentinfo.html expressed in XACML. The request denotes a read request from a user maryj@coresecuritypatterns.com, who has a premium membership, to access the URL for her own account information. The subscriber clicks the URL, and the online portal (acting as a PEP) generates an XACML service request for a read request to the URL resource.

Example 7–13 Request to access sensitive payment resource
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:1.0:context"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <Subject>
      <Attribute 
          AttributeId=
   "urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
          DataType=
"urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
        <AttributeValue>
            maryj@coresecuritypatterns.com
        </AttributeValue>
      </Attribute>
      <Attribute 
          AttributeId="group"
               DataType=             http://www.w3.org/2001/XMLSchema#string
               Issuer=
                  "admin@coresecuritypatterns.com">
        <AttributeValue>premiumMember</AttributeValue>
      </Attribute>
    </Subject>
    <Resource>
      <Attribute AttributeId=
      "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                 DataType=
			"http://www.w3.org/2001/XMLSchema#anyURI">
        <AttributeValue>
http://www.onlinestore.com/sensitive/paymentinfo.html
</AttributeValue>
      </Attribute>
    </Resource>
    <Action>
      <Attribute 
          AttributeId=
     "urn:oasis:names:tc:xacml:1.0:action:action-id"
          DataType=
     "http://www.w3.org/2001/XMLSchema#string">
        <AttributeValue>read</AttributeValue>
      </Attribute>
    </Action>
  </Request>

Sample Policy

The XACML policy engine (acting as a PDP) receives the read request. It looks up any policies that are applicable to the request. Example 7–14 shows a sample policy to protect the sensitive payment resource. In plain English, the policy allows any subject with a group identifier “premiumMember” and with an e-mail address domain name “coresecuritypatterns.com” to have read access to the sensitive payment resource with the URI http://www.onlinestore.com/sensitive/_paymentinfo.html. It also specifies that the policy will log any successful read action or any unsuccessful read with an invalid e-mail address domain name.

Example 7–14 Policy for the sensitive resource
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   PolicyId="AdminCanRead_ObligationPolicy"
   RuleCombiningAlgId=
   "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">

  <Description>
     This policy states that users with a domain name 
     @coresecuritypatterns.com who are also premium members
     should be able to read the sensitive document
     http://www.onlinestore.com/sensitive/paymentinfo.html.
     Both successful and invalid read request are logged using Obligation.
     
     If users have a different domain name other than 
     @coresecuritypatterns.com, this policy will deny access.
     If users with a domain name @coresecuritypatterns.com who 
     are NOT premium members this policy also deny their access.
     
     This policy illustrates use of "Condition" within a 
     "Target" element to apply constraints to the read access
     for the requester who are Administrator only. It also 
     provides an example of "Obligation"
     to log successful read and log invalid access.
  </Description>

  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch MatchId=
            "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
          <AttributeValue 
             DataType=
             "http://www.w3.org/2001/XMLSchema#string">
                coresecuritypatterns.com
          </AttributeValue>
          <SubjectAttributeDesignator 
              DataType=
              "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
              AttributeId=
              "urn:oasis:names:tc:xacml:1.0:subject:subject-id"/>
        </SubjectMatch>
      </Subject>
    </Subjects>
    <Resources>
        <Resource>
          <ResourceMatch 
             MatchId=
             "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
            <AttributeValue 
               DataType=
               "http://www.w3.org/2001/XMLSchema#anyURI">
               http://www.onlinestore.com/sensitive/paymentinfo.html
            </AttributeValue>
            <ResourceAttributeDesignator 
               DataType=
               "http://www.w3.org/2001/XMLSchema#anyURI"
               AttributeId=
               "urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
          </ResourceMatch>
        </Resource>
    </Resources>
    <Actions>
      <AnyAction/>
    </Actions>
  </Target>

  <Rule RuleId="ReadRule" Effect="Permit">
    <Target>
      <Subjects>
        <AnySubject/>
      </Subjects>
      <Resources>
        <AnyResource/>
      </Resources>
      <Actions>
        <Action>
          <ActionMatch 
             MatchId=
             "urn:oasis:names:tc:xacml:1.0:function:string-equal">
             <AttributeValue
                 DataType="http://www.w3.org/2001/XMLSchema#string">
                 read
              </AttributeValue>
            <ActionAttributeDesignator 
               DataType=
               "http://www.w3.org/2001/XMLSchema#string"
               AttributeId=
               "urn:oasis:names:tc:xacml:1.0:action:action-id"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
          <Condition 
             FunctionId=
             "urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply FunctionId=
        "urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <SubjectAttributeDesignator 
             DataType="http://www.w3.org/2001/XMLSchema#string"
			              AttributeId="group"/>
        </Apply>
        <AttributeValue 
           DataType=
           "http://www.w3.org/2001/XMLSchema#string">
           premiumMember
        </AttributeValue>
      </Condition>
  </Rule>
    
  <Rule RuleId="DenyOtherActions" Effect="Deny"/>

  <Obligations>
    <Obligation 
       ObligationId="LogSuccessfulRead" 
       FulfillOn="Permit">
      <AttributeAssignment 
         AttributeId="user" 
         DataType=
         "http://www.w3.org/2001/XMLSchema#anyURI">urn:oasis:names:tc:xacml:1.0:subject:subject-id
      </AttributeAssignment>
      <AttributeAssignment 
         AttributeId="resource" 
         DataType="http://www.w3.org/2001/XMLSchema#anyURI">
         urn:oasis:names:tc:xacml:1.0:resource:resource-id
      </AttributeAssignment>
    </Obligation>
    <Obligation 
       ObligationId="LogInvalidAccess" 
       FulfillOn="Deny">
      <AttributeAssignment 
         AttributeId="user" 
         DataType="http://www.w3.org/2001/XMLSchema#anyURI">
         urn:oasis:names:tc:xacml:1.0:subject:subject-id
      </AttributeAssignment>
      <AttributeAssignment 
         AttributeId="resource" 
         DataType="http://www.w3.org/2001/XMLSchema#anyURI">
         urn:oasis:names:tc:xacml:1.0:resource:resource-id
      </AttributeAssignment>
      <AttributeAssignment 
         AttributeId="action" 
		          DataType="http://www.w3.org/2001/XMLSchema#anyURI">
         urn:oasis:names:tc:xacml:1.0:action:action-id
      </AttributeAssignment>
    </Obligation>
  </Obligations>
</Policy>

Example 7–15 shows the response to the read request. The PDP returns a status that indicates whether the read request is granted. If this is granted, the <Decision> element will indicate “Permit.” If this is rejected, the <Decision> element will return “Deny.” An error of any kind (such as missing attribute value) results in “Indeterminate.” “NotApplicable” is the result if no available policies apply to the given request.

Example 7–15 Output from the PDP program
C:\XACML2\sunxacml-1.2\sample>java SimplePDP request\request.xml policy\policy.xml
<Response>
  <Result ResourceID=
       "http://www.onlinestore.com/sensitive/paymentinfo.html">
    <Decision>Permit</Decision>
    <Status>  
      <StatusCode 
         Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </Status>
    <Obligations>
      <Obligation 
          ObligationId="LogSuccessfulRead" 
          FulfillOn="Permit">
        <AttributeAssignment 
            AttributeId="user" 
            DataType=
            "http://www.w3.org/2001/XMLSchema#anyURI">
            urn:oasis:names:tc:xacml:1.0:subject:subject-id
        </AttributeAssignment>
        <AttributeAssignment 
            AttributeId="resource" 
            DataType=
            "http://www.w3.org/2001/XMLSchema#anyURI">
            urn:oasis:names:tc:xacml:1.0:resource:resource-id
        </AttributeAssignment>
      </Obligation>
    </Obligations>
  </Result>
</Response>
Remark

These examples use Sun’s XACML Kit version 1.2, which currently supports XACML 1.1. To run these examples in XACML 2.0, developers need to change the version number and the namespace (for example, xmlns="urn:oasis:names:tc: xacml:2.0:policy") in the XML header, and make any necessary XACML 2.0 changes.

Use of XACML 2.0 with SAML 2.0

XACML 2.0 and SAML 2.0 can be used together. In XACML 2.0, a SAML profile is defined. [XACML2SAML2] specifies OASIS-approved standard extensions to SAML for interoperation with XACML. The SAML profile in XACML 2.0 includes specifications for:

  • Mapping SAML Attributes into XACML Attributes
  • Sending a SAML authorization decision query to an XACML Policy Decision Point
  • Receiving an XACML response in the form of a SAML authorization decision statement from an XACML Policy Decision Point
  • Requesting one or more XACML policies from an online Policy Administration Point using a SAML policy query
  • Receiving XACML policies from online Policy Administration Points in the form of a SAML policy statement in a SAML assertion
  • Storing XACML policies in policy repositories in the form of SAML policy statements

Figure 7–10 illustrates the use of these SAML extensions with XACML (also refer to [XACML2SAML2] for more details):

Figure 7–10 Use of SAML 2.0 in XACML 2.0

  • Service requester initiates request to access a specific resource. The Policy Enforcement Point sends the resource access request to an XACML Policy Decision Point in a SAML authorization decision query (XACMLAuthzDecisionQuery in Step 1).
    • – The Policy Enforcement Point may obtain attributes in one of the following ways:

      – The Policy Enforcement Point may obtain attributes directly from an online Attribute Authority using an AttributeQuery (Step 1a). This query returns an AttributeStatement in the SAML response (Step 2a).

      – The Policy Enforcement Point may obtain attributes from a repository, where they were stored previously by an Attribute Authority in the form of SAML AttributeStatements (Step 4a).

  • The XACML Policy Decision Point evaluates the resource access request and decides additional attributes are needed. It can obtain these in one of the following ways:
    • – The XACML Policy Decision Point may obtain attributes directly from an online Attribute Authority using an AttributeQuery (Step 2). This query returns an AttributeStatement in the SAML response (Step 3).

      – The XACML Policy Decision Point may obtain attributes from a repository (Step 4), where they were stored previously by an Attribute Authority in the form of SAML AttributeStatements (Step 5a).

This allows the XACML Policy Decision Point to augment the resource access request with additional attributes.

  • The Policy Enforcement Point may obtain attributes from the Attribute Authority or from the Attribute Repository that stores the attributes about the service requester or resource (AttributeQuery in Step 1a).
  • The Attribute Authority returns attributes in a SAML attribute statement to the Policy Enforcement Point (AttributeStatement in Step 2a).
  • The Attribute Authority creates an assertion of an attribute statement in the Attribute Repository (AttributeStatement in Step 3a), which also makes the attribute statement available to the XACML Policy Enforcement Point (AttributeStatement in Step 4a) or to the XACML Policy Decision Point (AttributeStatement in Step 5a).
  • The XACML Policy Decision Point evaluates the resource access request and decides to make a SAML attribute query with the Attribute Authority (AttributeQuery in Step 2).
  • The Attribute Authority returns with a SAML attribute statement (_AttributeStatement in Step 3). This allows the XACML Policy Decision Point to augment the XACML Policy Enforcement Point’s description of the resource access request with additional attributes.
  • The XACML Policy Decision Point may need to retrieve any policies relevant to the resource access request from the XACML Policy Administration Point or from the XACML Policy Repository (XACMLPolicyQuery in Step 4).
  • The XACML Policy Administration Point finds relevant policies from the XACML Policy Repository and creates a policy statement assertion (XACMLPolicyStatement in Step 5). These policies may be retrieved as follows:
    • – The XACML Policy Administration Point responds to the policy query with a policy statement assertion (XACMLPolicyStatement in Step 6).

      – The XACML Policy Decision Point can also find relevant policies from the XACML Policy Repository (XACMLPolicyStatement in Step 7).

  • With the availability of relevant policies and attributes, the XACML Policy Decision Point is able to respond to the XACML Policy Enforcement Point with a SAML authorization decision statement (XACMLAuthzDecisionStatement in Step 8).
  • Alternatively, the XACML Policy Decision Point can retrieve necessary policies directly from the XACML Policy Repository.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020