[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Help on Condition ? <-- Obligations
On Dec 12, 2008, at 9:47 AM, Oleg Gryb wrote: > Yoichi, > > In your reasoning I don't really see a fundamental difference > between "sign an agreement" and "show a reason of denial" > obligations. In the latter case and in my example the "next step" > for the user may be signing up a fee-based agreement for the bill > payment service. The position I have taken on the TC is that we should differentiate between Obligations (Decision + ACTION) and Causality (Decision + INFORMATION). The primary reason for this is that Obligations are becoming overloaded to the point that they are a general mechanism for anything not covered in the spec. There is currently a proposal to push Obligations to the Rule level (to solve some causality Use Cases) which I think will only exacerbate the problem. My proposal therefore, is that we do not extend Obligations to the Rule level and we introduce a mechanism that is specifically intended for cause/advice responses. This doesn't solve my concern with Obligations but it does provide what I feel is a more precise mechanism for dealing with this aspect of the decision response. The counter argument to my approach is that users will not be able to easily differentiate between what it "actionable" and what is "informational" so no additional benefit will be had from adding an explicit causal response mechanism (that is very similar to how Obligations work). For the specific case you have below I would answer that "sign" is a verb which makes this an ACTION. Therefore it would be an Obligation. "Show reason of denial" does not require action by the PEP so it would be an Advice (Cause, whatever we decide to call it :). As an Obligation the Policy Writer should be able to expect that the action will transpire and if not some sort of error condition will occur. The latter will not be bound to an explicit action and subsequent processing may or may not act independently from the original decision request/response. I would be very interested in hearing what the user community thinks of this. thanks b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]