OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-comment] Re: Policy


Srilekha - My suggestion to you is that you lay out the use-case.  If it is
within the current charter of XACML, then the committee should explore
whether it represents a common requirement and whether or not it is soluble
with the current specification.

You'll find a sample use-case document to use as a template at ...

http://www.oasis-open.org/committees/download.php/1378/wd-xacml-wspl-use-cas
es-03.pdf

I look forward to reviewing your input.  All the best.  Tim.

-----Original Message-----
From: Srilekha Mudumbai [mailto:sri@jerichosystems.com] 
Sent: Wednesday, September 08, 2004 10:45 AM
To: xacml-comment@lists.oasis-open.org
Subject: [xacml-comment] Re: Policy


Tim,
 
I have to agree on the limitations of XACML as posted by you. XACML should
address all the limitations so as to expand its horizon. 

One thing I wanted to do is to give some reasoning on a deny
of access based on the business requirements iff required. The obligation
was a choice but it is static and the reasoning is 
dynamic and may be on a per-user basis. That is where I had problems. First
of all, I was not even aware if I could 
use obligation. Then Seth suggested me to do so because there 
was no better alternative.
 
Regards
Srilekha
 
Srilekha Mudumbai
 
Jericho Systems
Dallas, Texas
972-231-2000
 
 
The information contained in this e-mail and all attachments transmitted
with it is the Confidential and Proprietary information of Jericho Systems,
Inc. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination, distribution,
copying, or other use of this message or its attachments is strictly
prohibited. If you have received this message in error, please notify the
sender immediately by replying to this message and please delete it from
your computer
 
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com] 
Sent: Tuesday, September 07, 2004 12:33 PM
To: 'Brian Hawkins'; 'xacml-comment@lists.oasis-open.org'
Subject: RE: [xacml-comment] Policy question
 
Brian - Interesting.  I would call your type of policy a "management"
policy.  XACML was designed as an "authorization" policy language.  The
result of evaluating a management policy is a set of actions.  Whereas the
result of evaluating an authorization policy is a boolean decision.
 
XACML actually straddles the boundary between the two types of policy,
though.  It allows "side-effects" of the decision, in the form of
obligations.
 
There are a couple of deficiencies in XACML when used as a language for
expressing management policies.  Some of these are trivial, such as the lack
of a combining algorithm that doesn't terminate prematurely and the fact
that "effect" values of "permit" and "deny" are inappropriate in the absence
of a decision.  Others are more serious, such as the inability to express
sequence and choice amongst obligations.
 
Perhaps, XACML should extend its charter to address these questions.
 
All the best.  Tim.
-----Original Message-----
From: Brian Hawkins [mailto:bhawkins@novell.com] 
Sent: Tuesday, September 07, 2004 12:49 PM
To: xacml-comment@lists.oasis-open.org
Subject: [xacml-comment] Policy question
I have a question about policy.  I guess it actually is a policy question.
 
I would like to write in some policy language an answer to the "what do I do
now?" question. For example, I ran out of disk space, now what do I do?
 
The answer would be "Perform the disk clean up operation and email the
admin".  I would like to do this in some policy language like XACML but it
does not seem to be quite right for the job.
 
Has anyone else encountered this or have any thoughts on it?
 
Thanks
Brian


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]