OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] Is authorization decision a postcondition?

Title: RE: [xacml] Is authorization decision a postcondition?
I hadn't thought about that one. What you say is logical, but I suspect people will find it unintuitive and perhaps unacceptable. This poscondition stuff is a minefield. I need to think about this more.
 
Hal
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Friday, November 30, 2001 8:42 AM
To: 'xacml@lists.oasis-open.org'
Subject: RE: [xacml] Is authorization decision a postcondition?

Hal - My view is that the PDP won't necessarily evaluate all rules.  If it determines that the policy evaluates to true regardless of the condition of some (as yet) unevaluated rules, then it should go ahead and return a "permit" status code.  All post conditions associated with rules that were required to evaluate "true" for the policy to evaluate "true" must be executed.
 
All the best.  Tim.
 

-----------------------------------------
Tim Moses
Tel: 613.270.3183

 
-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Thursday, November 29, 2001 3:43 PM
To: Hal Lockhart; 'xacml@lists.oasis-open.org'
Subject: RE: [xacml] Is authorization decision a postcondition?

It just occurred to me that there is a substantive question related to this. Currently, a policy conflict occurs when you have 2 or more rules and they get different answers. Presumably this means how you decide to allow or not allow access. But what about the various post conditions associated with the rules? How does the PDP decide which post conditions should occur?

The simplest scheme is that if the conflict is resolved to true, then all the post conditions that are associated with rules that evaluate to true must occur and those associated with rules that evaluate to false are not required to occur. But is this the right answer?

Hal

> We need to decide as a matter of terminology, whether the
> decision to allow or prohibit access is considered one of the
> post conditions (presumably mandatory) or is it considered a
> seperate thing? Personally I don't feel strongly either way,
> but I would like to be clear on what is meant when the term
> post conditions is used.
>
> Hal
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC