[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: The Hal/David model
And to follow up on one of Darren's points and bring things around to our
most recent TC discussion...
At 11:46 AM 3/23/01 -0800, Darren Platt wrote:
>...
>I believe a statement such as such as "user 'noddles' is granted 'execute'
>on '/usr/bin/guitar'" is a statement of policy. This statement is not that
>different from "users who are 6 feet tall are granted 'execute' on
>'/usr/bin/guitar'" or "users who have the role 'musician' are granted
>'execute' on '/usr/bin/guitar'". These latter two are clearly require a
>'decision' to enforce and are therefore the input of the policy decision
>point. I therefore don't think that this is something a PDP would pass to a
>PEP, rather something a PDP might pass to another PDP. By their names, PDPs
>and PEPs seem to me to be abstractions based on their functionality - so a
>decision point evaluates policy and makes a decision, and an enforcement
>point applies the decision.
So, to simplify the logical perspective even more:
decision PDP(policies, attributes)
permission PEP(decision)
?
Eve
--
Eve Maler +1 781 442 3190
Sun Microsystems XML Technology Development eve.maler @ east.sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC