OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] [policy-model] A Proposal


Title: RE: [xacml] [policy-model] A Proposal
I think this is the kind of thing that cannot be argued in the abstract. A complete set of boolean operators can in principle, express any possible policy. However, it is possible that a particular scheme will make it very awkward to express common sorts of policies.
 
What we need is short example proposals of a possible expression and its semantics, along with examples of policies hard to express in alternative schemes. Bill did something of this sort a couple of weeks ago, but I would have liked to see the intended semantics stated more explicitly.
 
Hal
-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Thursday, December 06, 2001 5:54 PM
To: 'Tim Moses'; xacml
Subject: RE: [xacml] [policy-model] A Proposal

Tim,
I think that 'not' does not substitute for 'deny'. From my point of view 'not' is just a logical operation.
You can have 'not' condition in the grant statement and it may or may not fire. If 'not' something evaluates to false
you do not get a 'grant'. 'Deny' on the other hand has implications for role hierarchies and also can have 'not' conditions imbedded
in it. I agree with Michiharu that it is better to have explicit 'grant' and 'deny' (or some variation thereof)
 
Simon G.
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Monday, December 03, 2001 11:20 AM
To: xacml
Subject: RE: [xacml] [policy-model] A Proposal

Michiharu - Thanks for this proposal on extensibility.  I suspect that we will delay discussion of extensibility points until the model is settled.  However, it will become important at that time.

In the model, as currently described, we do not include separate elements for "grant" and "deny".  Instead, the "deny" semantics are provided by "and" and "not" ...

<and>
<predicate>grant_condition</predicate>
<not>
<predicate>deny_condition></predicate>
</not>
</and>

With this approach, no explicit grant element is required: if the applicable policy evaluates TRUE, then the PDP may return the saml "permit" status code.

All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183


-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Monday, December 03, 2001 7:24 AM
To: xacml
Subject: [xacml] [policy-model] A Proposal


I drew a picture about the desirable extensibility of XACML policy model
based on the currently proposed XACML language document.

(See attached file: ModelProposal.ppt)(See attached file:
ModelProposal.pdf)

Best regards,
Michiharu Kudo



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC