[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Obligations
I think "non-mandatory" obligations would be a better term and solution. I think only PDP has a well-defined specification in XACML, everything else is a "profile" (including PEP), so adding "non-mandatory" obligations, would be a more exact way of defining what you want. In general, I agree that "non-mandatory" obligations can be useful, e.g. if obligation is "to show/send a non-critical message", but PEP can't do that, the final decision should not be affected by PEP's inability to fulfill the obligation. I also think your solution might add problems and confusion for the authorization service consumer who will need to implement additional logic related to proposed *biased decisions. --- On Fri, 6/26/09, Dent A <A.Dent@rhul.ac.uk> wrote: > From: Dent A <A.Dent@rhul.ac.uk> > Subject: [xacml-comment] Obligations > To: xacml-comment@lists.oasis-open.org > Date: Friday, June 26, 2009, 9:53 AM > > > > > > > > > > > > > > > > Dear List, > > > > Forgive what I’m sure is an > obvious question, but I > can’t find it in the XACML literature anywhere. If > the PDP returns an > obligation to the PEP which the PEP can’t process or > execute, then we > have three possible actions by the PEP depending on the > bias. We can classify > the actions of the PEP depending on the response return by > the PDP (when the > PEP can’t process the obligation) as follows: > > > > > > > RESPONSE > > > > PERMIT > DENY > > ==================================== > > Base > > DENY > PERMIT > > Deny-biased > DENY > DENY > > Permit-biased > PERMIT > PERMIT > > > > Why isn’t there a bias in which > the PEP allows access > if and only if the PDP allows access, regardless of whether > the PEP can > discharge the obligation or not? In other words, the PEP > allows access if and > only if the PDP returns permit. For lack of a better term, > this could be termed > a “response biased PEP”. > > > > My guess was that since the obligation > doesn’t have > the power to change the access control decision, it is not > considered part of > the access control system; however, since such a > functionality would allow the > policy and the PDP to dynamically generate obligations > without changing the > access control decision, I would suggest that such > functionality is part of the > access control system. For example, the policy could state > (that perhaps > depending an attribute which defines the number of times a > subject had > attempted to access a resource) the PEP should send an > e-mail alerting the > subject or resource owner when access has been allowed or > disallowed. This > wouldn’t change the access control decision but is > still an obligation. > > > > Thoughts? > > > > Alex > > > > === > > Dr. Alexander W. Dent > > Information Security Group > > Royal Holloway, University of > London > > > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]