OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Features for XACMLv3

Dear XACML WG

The EC FW7 TAS3 project (www.tas3.eu) is a user of the XACMLv2 
specification. We note that it is missing a couple of features that we 
will find useful, and wondered if they can be added to XACMLv3.

The missing features are as follows

i) the ability to make a "just checking" request to a PDP, for example 
when preparing a workflow. Such requests allow checking whether 
permissions are sufficient to perform a service call, without actually 
performing the call. The reason why it is important for the PDP to know 
that this is a "just checking" call rather than an access request call, 
are several, including:
a) the PDP may be logging access requests and this should not be logged 
as an access request in the audit trail
b) the PDP may support separation of duties or other state based access 
control decision making. The "just checking" request should not change 
the internal state of the PDP, whereas an access request could.
c) the PEP may or may not want obligations to be returned on a just 
checking request, depending upon whether it checks the obligations as 
well. If it does not, then it would improve performance to not return 
the obligations.

ii) the ability for the PDP to return the set of attributes from the 
request context that were used in the rule for the decision that was 
returned. In previous messages I have given Erik the rationale for why 
this is needed (e.g. a returned obligation performs some action based on 
the role of the accessor, but the request context contained several 
irrelevant roles that were not used in the decision making).

regards

David

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]