[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] [policy-model] A Proposal
-----------------------------------------
Tim Moses
Tel:
613.270.3183
-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Friday, December 07, 2001 9:24 AM
To: 'Simon Godik'; 'Tim Moses'; xacml
Subject: RE: [xacml] [policy-model] A ProposalI think this is the kind of thing that cannot be argued in the abstract. A complete set of boolean operators can in principle, express any possible policy. However, it is possible that a particular scheme will make it very awkward to express common sorts of policies.What we need is short example proposals of a possible expression and its semantics, along with examples of policies hard to express in alternative schemes. Bill did something of this sort a couple of weeks ago, but I would have liked to see the intended semantics stated more explicitly.Hal-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Thursday, December 06, 2001 5:54 PM
To: 'Tim Moses'; xacml
Subject: RE: [xacml] [policy-model] A ProposalTim,I think that 'not' does not substitute for 'deny'. From my point of view 'not' is just a logical operation.You can have 'not' condition in the grant statement and it may or may not fire. If 'not' something evaluates to falseyou do not get a 'grant'. 'Deny' on the other hand has implications for role hierarchies and also can have 'not' conditions imbeddedin it. I agree with Michiharu that it is better to have explicit 'grant' and 'deny' (or some variation thereof)Simon G.-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Monday, December 03, 2001 11:20 AM
To: xacml
Subject: RE: [xacml] [policy-model] A ProposalMichiharu - Thanks for this proposal on extensibility. I suspect that we will delay discussion of extensibility points until the model is settled. However, it will become important at that time.
In the model, as currently described, we do not include separate elements for "grant" and "deny". Instead, the "deny" semantics are provided by "and" and "not" ...
<and>
<predicate>grant_condition</predicate>
<not>
<predicate>deny_condition></predicate>
</not>
</and>With this approach, no explicit grant element is required: if the applicable policy evaluates TRUE, then the PDP may return the saml "permit" status code.
All the best. Tim.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Monday, December 03, 2001 7:24 AM
To: xacml
Subject: [xacml] [policy-model] A Proposal
I drew a picture about the desirable extensibility of XACML policy model
based on the currently proposed XACML language document.(See attached file: ModelProposal.ppt)(See attached file:
ModelProposal.pdf)Best regards,
Michiharu Kudo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC