[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-comment] Policy question
Brian - Interesting. I would call your
type of policy a "management" policy. XACML was designed as an
"authorization" policy language. The result of evaluating a management
policy is a set of actions. Whereas the result of evaluating an
authorization policy is a boolean decision.
XACML actually straddles the boundary
between the two types of policy, though. It allows "side-effects" of the
decision, in the form of obligations.
There are a couple of deficiencies in XACML
when used as a language for expressing management policies. Some of these
are trivial, such as the lack of a combining algorithm that doesn't terminate
prematurely and the fact that "effect" values of "permit" and "deny" are
inappropriate in the absence of a decision. Others are more serious, such
as the inability to express sequence and choice amongst
obligations.
Perhaps, XACML should extend its charter to
address these questions.
All the best. Tim.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]