Re: [xacml-users] Help on Condition ? <-- Obligations

[Yoichi Takayama <yoichi@melcoe.mq.edu.au>]

Hi Oleg,

I think that you may be getting it wrong. (Or, I am wrong that is  
totally possible).

PDP has made the Permit or Deny decision already.

Obligation does not change the Decision on PEP which has got the reply  
from the PDP. Policy Decision is PDP matter on the server side, the  
Obligation is PEP matter on the user side, so to speak. (Although Bill  
suggests that now Rules may wrap around Obligations more rightly, that  
may invalidate this statement in terms of Obligation involvement in  
PDP??).

To me it makes sense that it only determines whether it FulFills the  
Decision (of Permit) or not. If the user Obliges, the Permit takes  
effect. If the user declines the Obligation (or negative conditions  
for FullFill are met), the Permit is not FullFiled.

For Deny, nothing should happen. There is no Obligation if the  
Decision was Denied, since there is no Action to be taken. Is this  
changed in 2.0 or 3.0?

If someone Obliges to the Denied Policy Decision, are you going to  
overturn the Policy Decision to Permit? What justification is there  
unless you already considered such conditions in the Policy Decision  
making? (Of course, denying some Action itself is some sort of Action  
logically or philosophically, but I think that that does not apply in  
this case).

By definition, Denied means there is no Action to be taken by the end  
user. Therefore, there is no question about a further Obligation.

Can someone clarify because of the philosophical no-action is an action?

Also, if your business logic is to deny the Action (such as buying  
something) if the user account exceeds and requires the user to sign  
extension agreement, IMO, shouldn't you be doing it as a part of the  
Rule, rather than in Obligation? It can be a part of Policy Set. That  
should make more sense.

As I understand it, the Policy is primarily to allow or deny  
(authorization cross-cutting concern), not to demand users to do  
something. Obligation is a part of it and it is to do with  
authorization. The User License Agreement Use Case is an additional  
authorization, but in this case, user-determined authorization  
condition.

The original Action carried out is still the same. But, in your use  
case, the original Action is expanded to increase the account limit.

I think that there should be some Policy or application logic you  
should ask before (e.g. Is enough of my account limit left to buy  
more?), that may make the application to ask the user to increase the  
account limit first before the user can buy something more.

I think that the Obligation is a bit of black sheep that it may demand  
something of the user or the application, but I take it from the  
"authorization" point of view, not application Action or logic point  
of view.

Yoichi

--------------------------------------------------------------------------
Yoichi Takayama, PhD
Senior Research Fellow
RAMP Project
MELCOE (Macquarie E-Learning Centre of Excellence)
MACQUARIE UNIVERSITY

Phone: +61 (0)2 9850 9073
Fax: +61 (0)2 9850 6527
www.mq.edu.au
www.melcoe.mq.edu.au/projects/RAMP/
--------------------------------------------------------------------------
MACQUARIE UNIVERSITY: CRICOS Provider No 00002J

This message is intended for the addressee named and may contain  
confidential information.  If you are not the intended recipient,  
please delete it and notify the sender. Views expressed in this  
message are those of the individual sender, and are not necessarily  
the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or  
Macquarie University.

On 12/12/2008, at 4:03 PM, Oleg Gryb wrote:

>> Also, please note that Oracle, for example, states that
>> Obligation is only triggered if the Decision was Permit.
>
> I think, it's a weak argument. It could mean only that Oracle  
> implementation is not compliant with XACML 2.0:
>
> "FulfillOn [Required]
> The effect for which this obligation must be fulfilled by the PEP."
>
> There are other implementations though that do support the spec in  
> this area.
>
>> Also, I think that the use of user account balance (or
>> using user Role in Oracle Use Case) AFTER the Permit
>> Decision is made by the Policies as Obligation is not
>> appropriate.
>
> Yes, after "permit" decision is made it would not have any sense,  
> but it does have perfect sense for "deny" - I don't know what else I  
> could use from XACML 2.0 stack to achieve my business goals.
>
>>
>> Simply the Obligation asking to "oblige" to have
>> read the failure message is not that meaningful in this case
>> as the Action. Regardless whether the user agreed that he
>> has read it or not, it has been already presented and the
>> Decision does not change by whether the user has agreed or
>> not. Also, if you mean that PEP MUST oblige to present it,
>> it is not the Obligation of the user. I don't think that
>> there is a mechanism for that (as it must still ask the user
>> to agree that he has read it).
>
> Not necessary. Consider the following scenario:
>
> 1. PEP fulfilled the obligation of presenting the deny reason and a  
> new agreement to the user
> 2. User has signed the new agreement
> 3. PEP created a new modified request to PDP by incorporating the  
> fact that the new agreement has been signed
> 4. PDP returned "Permit" for the new request
> 5. The user got access to the service
>
> The initial decision has not been changed, but additional  
> information entered by the user has been used by PEP to create a new  
> request and for the user it will look like the decision has been  
> changed.
>
>>
>> As Bill was saying, "message" seems to be more
>> appropriate place.
>
> Yes,  I think we need to separate a "quantified explicit action",  
> and an "abstract informal message" that can be anything including an  
> expression. The qs that remains is "where to put the message"...
>
>>
>> Yoichi
>>
>>
>>
>> --------------------------------------------------------------------------
>> Yoichi Takayama, PhD
>> Senior Research Fellow
>> RAMP Project
>> MELCOE (Macquarie E-Learning Centre of Excellence)
>> MACQUARIE UNIVERSITY
>>
>> Phone: +61 (0)2 9850 9073
>> Fax: +61 (0)2 9850 6527
>> www.mq.edu.au
>> www.melcoe.mq.edu.au/projects/RAMP/
>> --------------------------------------------------------------------------
>> MACQUARIE UNIVERSITY: CRICOS Provider No 00002J
>>
>> This message is intended for the addressee named and may
>> contain confidential information.  If you are not the
>> intended recipient, please delete it and notify the sender.
>> Views expressed in this message are those of the individual
>> sender, and are not necessarily the views of Macquarie
>> E-Learning Centre Of Excellence (MELCOE) or Macquarie
>> University.
>>
>> On 12/12/2008, at 1:12 PM, Bill Parducci wrote:
>>
>>>
>>> On Dec 12, 2008, at 12:26 PM, Tyson, Paul H wrote:
>>>> Isn't "Cause" already addressed by
>> PolicyIdentifierList?  I can see two
>>>> other plausible instantiations of
>> "Cause": 1) a natural-language
>>>> explanation for each rule; or 2) a reproduction of
>> the logical schema
>>>> that implied the decision.  Either of these might
>> be useful while
>>>> developing or debugging a XACML system, but are
>> there good use cases for
>>>> a production system?  What would you want a PEP to
>> do differently (with
>>>> respect to enforcement) if the decision came from
>> Rule1 or from Rule2?
>>>
>>> The Use Cases that spurred the [re]investigation of
>> this functionality were reviewed with the TC as noted here
>> (from the 12/4/08 TC minutes):
>>>
>>> Mike Beach from Boeing reviewed his authz Use Cases
>>>
>> http://projectconcordia.org/images/d/d6/BoeingFineGrainedAuthorization.pdf
>>> (starting at slide 8)
>>> The basis of the talk is the ability of XACML to deal
>> with export
>>> licensing using Obligations or is additional
>> machinery needed?
>>>
>>>> We have a use case that will require logging of
>> certain decisions.  We
>>>> could get by with logging just certain decisions
>> (e.g. "Permit"
>>>> decisions from a certain policy), but at this
>> point it does not appear
>>>> to be a problem to log all decisions.
>> Technically, we can't use
>>>> "Obligation" for this because it has no
>> bearing on whether the resource
>>>> is shown to the user or not.  (That is, if for
>> some reason the logging
>>>> failed, we wouldn't deny access to the
>> resource.)
>>>>
>>>> I suggest "Message" instead of
>> "Advice", because "Advice" implies at
>>>> least a small component of intended behavior for
>> the PEP, and that
>>>> behavior is outside the scope of XACML.
>> "Message", on the other hand,
>>>> is neutral with respect to expected behavior.  It
>> would meet everyone's
>>>> needs if Message could contain expressions to be
>> evaluated within the
>>>> decision context, as well as foreign namespace
>> elements to describe
>>>> anything else the policy writer wants the PDP to
>> communicate to the PEP.
>>>> That would allow implementors to use
>> application-specific contracts
>>>> between PDPs and PEPs without mucking up the XACML
>> model.
>>>
>>> Works for me. We can call it FYI for all I care so
>> long as the spec is explicit in what it is used for
>> (refreshingly in this case there is absolutely no issue with
>> combination beyond blind aggregation :)
>>>
>>> thanks
>>>
>>> b
>>>
>>>
>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>> xacml-users-unsubscribe@lists.oasis-open.org
>>> For additional commands, e-mail:
>> xacml-users-help@lists.oasis-open.org
>>>
>
>
>

smime.p7s