OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Is authorization decision a postcondition?


Hal wrote:
> It just occurred to me that there is a substantive question related to this.
> Currently, a policy conflict occurs when you have 2 or more rules and they
> get different answers. Presumably this means how you decide to allow or not
> allow access. But what about the various post conditions associated with the
> rules? How does the PDP decide which post conditions should occur?

I think this is where we are hurt by not having a VM model for policy
evaluation --- or, in another view, not having a model for the relationship
between walking the tree and executing nodal behaviors (here, policies with
post-conditions). In other words, the operational lifecycle of the node...

In one view, there should be a prioritization of the evaluation of policies that
hook nodal operations. This is extremely important, since a post-condition could
cause the short-circuiting of parsing of the sub-tree under a particular node;
one would therefore want higher-priority policies to evaluate before lower
priority. Also, if certain policies set attributes that affect the outcome of
other policies, one would want those to be of higher priority.

Some document processing models (e.g. Multivalent Documents [Phelps]) have a
notion of "before" and "after" sequencing of nodal operations, with high
priority behaviors having the "first and last words."

| John S. Erickson, Ph.D.
| Hewlett-Packard Laboratories
| PO Box 1158, Norwich, Vermont USA 05055
| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695 (fax)
| john_erickson@hpl.hp.com         AIM/YIM/MSN: olyerickson



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC