Re: [xacml-users] Help on Condition ? <-- Obligations

[Oleg Gryb <oleg_gryb@yahoo.com>]

> Also, please note that Oracle, for example, states that
> Obligation is only triggered if the Decision was Permit. 

I think, it's a weak argument. It could mean only that Oracle implementation is not compliant with XACML 2.0:

"FulfillOn [Required]
The effect for which this obligation must be fulfilled by the PEP."

There are other implementations though that do support the spec in this area.

> Also, I think that the use of user account balance (or
> using user Role in Oracle Use Case) AFTER the Permit
> Decision is made by the Policies as Obligation is not
> appropriate.

Yes, after "permit" decision is made it would not have any sense, but it does have perfect sense for "deny" - I don't know what else I could use from XACML 2.0 stack to achieve my business goals.

> 
> Simply the Obligation asking to "oblige" to have
> read the failure message is not that meaningful in this case
> as the Action. Regardless whether the user agreed that he
> has read it or not, it has been already presented and the
> Decision does not change by whether the user has agreed or
> not. Also, if you mean that PEP MUST oblige to present it,
> it is not the Obligation of the user. I don't think that
> there is a mechanism for that (as it must still ask the user
> to agree that he has read it).

Not necessary. Consider the following scenario: 

1. PEP fulfilled the obligation of presenting the deny reason and a new agreement to the user
2. User has signed the new agreement
3. PEP created a new modified request to PDP by incorporating the fact that the new agreement has been signed
4. PDP returned "Permit" for the new request
5. The user got access to the service

The initial decision has not been changed, but additional information entered by the user has been used by PEP to create a new request and for the user it will look like the decision has been changed.

> 
> As Bill was saying, "message" seems to be more
> appropriate place.

Yes,  I think we need to separate a "quantified explicit action", and an "abstract informal message" that can be anything including an expression. The qs that remains is "where to put the message"...

> 
> Yoichi
> 
> 
> 
> --------------------------------------------------------------------------
> Yoichi Takayama, PhD
> Senior Research Fellow
> RAMP Project
> MELCOE (Macquarie E-Learning Centre of Excellence)
> MACQUARIE UNIVERSITY
> 
> Phone: +61 (0)2 9850 9073
> Fax: +61 (0)2 9850 6527
> www.mq.edu.au
> www.melcoe.mq.edu.au/projects/RAMP/
> --------------------------------------------------------------------------
> MACQUARIE UNIVERSITY: CRICOS Provider No 00002J
> 
> This message is intended for the addressee named and may
> contain confidential information.  If you are not the
> intended recipient, please delete it and notify the sender.
> Views expressed in this message are those of the individual
> sender, and are not necessarily the views of Macquarie
> E-Learning Centre Of Excellence (MELCOE) or Macquarie
> University.
> 
> On 12/12/2008, at 1:12 PM, Bill Parducci wrote:
> 
> > 
> > On Dec 12, 2008, at 12:26 PM, Tyson, Paul H wrote:
> >> Isn't "Cause" already addressed by
> PolicyIdentifierList?  I can see two
> >> other plausible instantiations of
> "Cause": 1) a natural-language
> >> explanation for each rule; or 2) a reproduction of
> the logical schema
> >> that implied the decision.  Either of these might
> be useful while
> >> developing or debugging a XACML system, but are
> there good use cases for
> >> a production system?  What would you want a PEP to
> do differently (with
> >> respect to enforcement) if the decision came from
> Rule1 or from Rule2?
> > 
> > The Use Cases that spurred the [re]investigation of
> this functionality were reviewed with the TC as noted here
> (from the 12/4/08 TC minutes):
> > 
> > Mike Beach from Boeing reviewed his authz Use Cases
> > 
> http://projectconcordia.org/images/d/d6/BoeingFineGrainedAuthorization.pdf
> >  (starting at slide 8)
> >  The basis of the talk is the ability of XACML to deal
> with export
> >  licensing using Obligations or is additional
> machinery needed?
> > 
> >> We have a use case that will require logging of
> certain decisions.  We
> >> could get by with logging just certain decisions
> (e.g. "Permit"
> >> decisions from a certain policy), but at this
> point it does not appear
> >> to be a problem to log all decisions. 
> Technically, we can't use
> >> "Obligation" for this because it has no
> bearing on whether the resource
> >> is shown to the user or not.  (That is, if for
> some reason the logging
> >> failed, we wouldn't deny access to the
> resource.)
> >> 
> >> I suggest "Message" instead of
> "Advice", because "Advice" implies at
> >> least a small component of intended behavior for
> the PEP, and that
> >> behavior is outside the scope of XACML. 
> "Message", on the other hand,
> >> is neutral with respect to expected behavior.  It
> would meet everyone's
> >> needs if Message could contain expressions to be
> evaluated within the
> >> decision context, as well as foreign namespace
> elements to describe
> >> anything else the policy writer wants the PDP to
> communicate to the PEP.
> >> That would allow implementors to use
> application-specific contracts
> >> between PDPs and PEPs without mucking up the XACML
> model.
> > 
> > Works for me. We can call it FYI for all I care so
> long as the spec is explicit in what it is used for
> (refreshingly in this case there is absolutely no issue with
> combination beyond blind aggregation :)
> > 
> > thanks
> > 
> > b
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org
> >