OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-comment] Obligations



I think "non-mandatory" obligations would be a better term and solution. I think only PDP has a well-defined specification in XACML, everything else is a "profile" (including PEP), so adding "non-mandatory" obligations,  would be a more exact way of defining what you want.

In general, I agree that "non-mandatory" obligations can be useful, e.g. if obligation is "to show/send a non-critical message", but PEP can't do that, the final decision should not be affected by PEP's inability to fulfill the obligation.
 
I also think your solution might add problems and confusion for the authorization service consumer who will need to implement additional logic related to proposed *biased decisions.



--- On Fri, 6/26/09, Dent A <A.Dent@rhul.ac.uk> wrote:

> From: Dent A <A.Dent@rhul.ac.uk>
> Subject: [xacml-comment] Obligations
> To: xacml-comment@lists.oasis-open.org
> Date: Friday, June 26, 2009, 9:53 AM
> 
> 
> 
>  
>  
> 
> 
> 
> 
> 
> 
>  
> 
> 
> 
> Dear List, 
> 
>    
> 
> Forgive what I’m sure is an
> obvious question, but I
> can’t find it in the XACML literature anywhere. If
> the PDP returns an
> obligation to the PEP which the PEP can’t process or
> execute, then we
> have three possible actions by the PEP depending on the
> bias. We can classify
> the actions of the PEP depending on the response return by
> the PDP (when the
> PEP can’t process the obligation) as follows: 
> 
>    
> 
>                
>                
>            
> RESPONSE 
> 
>                
>                
> PERMIT               
> DENY 
> 
> ==================================== 
> 
> Base     
>                
> DENY                    
> PERMIT 
> 
> Deny-biased     
> DENY                    
> DENY 
> 
> Permit-biased  
> PERMIT               
> PERMIT 
> 
>    
> 
> Why isn’t there a bias in which
> the PEP allows access
> if and only if the PDP allows access, regardless of whether
> the PEP can
> discharge the obligation or not? In other words, the PEP
> allows access if and
> only if the PDP returns permit. For lack of a better term,
> this could be termed
> a “response biased PEP”. 
> 
>    
> 
> My guess was that since the obligation
> doesn’t have
> the power to change the access control decision, it is not
> considered part of
> the access control system; however, since such a
> functionality would allow the
> policy and the PDP to dynamically generate obligations
> without changing the
> access control decision, I would suggest that such
> functionality is part of the
> access control system. For example, the policy could state
> (that perhaps
> depending an attribute which defines the number of times a
> subject had
> attempted to access a resource) the PEP should send an
> e-mail alerting the
> subject or resource owner when access has been allowed or
> disallowed. This
> wouldn’t change the access control decision but is
> still an obligation. 
> 
>    
> 
> Thoughts? 
> 
>    
> 
> Alex 
> 
>    
> 
> === 
> 
> Dr. Alexander W. Dent 
> 
> Information Security Group 
> 
> Royal Holloway, University of
> London 
> 
>    
> 
> 
> 
>  
> 
> 
> 





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]