[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] [policy-model] A Proposal
Tim - I understand that both the deny_condition under <not> element and the <deny> element means the same. But in some cases, it would be more important to specify the denial rule more explicitly, in order to facilitate readability of the policy rules mainly for the human policy writers. Moreover I think that all SC members have agreed to the usefulness of the denial rule after the long discussion. When people need to specify denial rules, it would be nice to specify explicitly the "grant" semantic basis in terms of exact specification. Considering the wide range of XACML applications that the use case summary shows, I would prefer to specify "grant" (or something like that) explicitly. I think this is consistent with the ongoing policy model discussion. Another aspect is that XACML users may want to extend the XACML semantic basis according to their own policy definition. I think that Pierangela's "only_if" semantic basis is one good example. Other people might think another definition. My extensibility proposal also aims at these issues. best regards, Michiharu Kudo From: Tim Moses <tim.moses@entrust.com> on 2001/12/04 04:19 Please respond to Tim Moses <tim.moses@entrust.com> To: xacml <xacml@lists.oasis-open.org> cc: Subject: RE: [xacml] [policy-model] A Proposal Michiharu - Thanks for this proposal on extensibility. I suspect that we will delay discussion of extensibility points until the model is settled. However, it will become important at that time. In the model, as currently described, we do not include separate elements for "grant" and "deny". Instead, the "deny" semantics are provided by "and" and "not" ... <and> <predicate>grant_condition</predicate> <not> <predicate>deny_condition></predicate> </not> </and> With this approach, no explicit grant element is required: if the applicable policy evaluates TRUE, then the PDP may return the saml "permit" status code. All the best. Tim. ----------------------------------------- Tim Moses Tel: 613.270.3183 -----Original Message----- From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com] Sent: Monday, December 03, 2001 7:24 AM To: xacml Subject: [xacml] [policy-model] A Proposal I drew a picture about the desirable extensibility of XACML policy model based on the currently proposed XACML language document. (See attached file: ModelProposal.ppt)(See attached file: ModelProposal.pdf) Best regards, Michiharu Kudo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC