OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] [policy-model] A Proposal



Tim - I understand that both the deny_condition under <not> element and the
<deny> element means the same. But in some cases, it would be more
important to specify the denial rule more explicitly, in order to
facilitate readability of the policy rules mainly for the human policy
writers. Moreover I think that all SC members have agreed to the usefulness
of the denial rule after the long discussion. When people need to specify
denial rules, it would be nice to specify explicitly the "grant" semantic
basis in terms of exact specification. Considering the wide range of XACML
applications that the use case summary shows, I would prefer to specify
"grant" (or something like that) explicitly. I think this is consistent
with the ongoing policy model discussion.

Another aspect is that XACML users may want to extend the XACML semantic
basis according to their own policy definition. I think that Pierangela's
"only_if" semantic basis is one good example. Other people might think
another definition. My extensibility proposal also aims at these issues.

best regards,
Michiharu Kudo


From: Tim Moses <tim.moses@entrust.com> on 2001/12/04 04:19

Please respond to Tim Moses <tim.moses@entrust.com>

To:   xacml <xacml@lists.oasis-open.org>
cc:
Subject:  RE: [xacml] [policy-model] A Proposal





Michiharu - Thanks for this proposal on extensibility.  I suspect that we
will delay discussion of extensibility points until the model is settled.
However, it will become important at that time.

In the model, as currently described, we do not include separate elements
for "grant" and "deny".  Instead, the "deny" semantics are provided by
"and" and "not" ...

<and>
<predicate>grant_condition</predicate>
<not>
<predicate>deny_condition></predicate>
</not>
</and>

With this approach, no explicit grant element is required: if the
applicable policy evaluates TRUE, then the PDP may return the saml "permit"
status code.

All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183

-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Monday, December 03, 2001 7:24 AM
To: xacml
Subject: [xacml] [policy-model] A Proposal

I drew a picture about the desirable extensibility of XACML policy model
based on the currently proposed XACML language document.

(See attached file: ModelProposal.ppt)(See attached file:
ModelProposal.pdf)

Best regards,
Michiharu Kudo






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC