RE: [xacml-comment] Policy question

[Tim Moses <tim.moses@entrust.com>]

Title: Message

Brian - Interesting.  I would call your type of policy a "management" policy.  XACML was designed as an "authorization" policy language.  The result of evaluating a management policy is a set of actions.  Whereas the result of evaluating an authorization policy is a boolean decision.

 

XACML actually straddles the boundary between the two types of policy, though.  It allows "side-effects" of the decision, in the form of obligations.

 

There are a couple of deficiencies in XACML when used as a language for expressing management policies.  Some of these are trivial, such as the lack of a combining algorithm that doesn't terminate prematurely and the fact that "effect" values of "permit" and "deny" are inappropriate in the absence of a decision.  Others are more serious, such as the inability to express sequence and choice amongst obligations.

 

Perhaps, XACML should extend its charter to address these questions.

 

All the best.  Tim.

-----Original Message-----
From: Brian Hawkins [mailto:bhawkins@novell.com]
Sent: Tuesday, September 07, 2004 12:49 PM
To: xacml-comment@lists.oasis-open.org
Subject: [xacml-comment] Policy question

I have a question about policy.  I guess it actually is a policy question.

 

I would like to write in some policy language an answer to the "what do I do now?" question.

For example, I ran out of disk space, now what do I do?

 

The answer would be "Perform the disk clean up operation and email the admin".  I would like to do this in some policy language like XACML but it does not seem to be quite right for the job.

 

Has anyone else encountered this or have any thoughts on it?

 

Thanks

Brian