[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Features for XACMLv3
Dear XACML WG The EC FW7 TAS3 project (www.tas3.eu) is a user of the XACMLv2 specification. We note that it is missing a couple of features that we will find useful, and wondered if they can be added to XACMLv3. The missing features are as follows i) the ability to make a "just checking" request to a PDP, for example when preparing a workflow. Such requests allow checking whether permissions are sufficient to perform a service call, without actually performing the call. The reason why it is important for the PDP to know that this is a "just checking" call rather than an access request call, are several, including: a) the PDP may be logging access requests and this should not be logged as an access request in the audit trail b) the PDP may support separation of duties or other state based access control decision making. The "just checking" request should not change the internal state of the PDP, whereas an access request could. c) the PEP may or may not want obligations to be returned on a just checking request, depending upon whether it checks the obligations as well. If it does not, then it would improve performance to not return the obligations. ii) the ability for the PDP to return the set of attributes from the request context that were used in the rule for the decision that was returned. In previous messages I have given Erik the rationale for why this is needed (e.g. a returned obligation performs some action based on the role of the accessor, but the request context contained several irrelevant roles that were not used in the decision making). regards David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]