OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] XACML Issues List Version 01

On Thu, 10 Jan 2002, Pierangela Samarati wrote:

> Hi,
>
> > I too would like to see actions in this context.
>
> in today's TC concall, some people mentioned that "action" is already used
> with different semantics (=the operation the principal is requesting).
> that's true, so we should find another term.

Probably, but I would really like to understand the nature of this beast.

> the point is, however, that the semantics of "postconditions" now seems
> really to be a reaction of the system, not the evaluation of a state, so
> terminology should reflect the semantics.

Well, I had oringally thought that a "post-condition" would be something
that would be true if the policy evaluated to true according to its input.
That is, a "post-condition" should be a logical consequence, but maybe not
fully derivable by all available information. This post-condition would
merely be some advice to the evaluator.

Such as Policy stating that:
	Subject is in Role of MissleLauncher to the
        Resource of Missle on Action Launch.
Post-condition
	Subject is dangerous.

> > However, I have a question. What is the purpose for actions (i.e.  these
> > post conditions) after checking a policy? What types of actions are
> > allowed?
>
> examples that were brough up for post-conditions were things like
> "logging the request", essentially they are actions that the system
> executes in response to granting an access, or simply having evaluated
> the authorizations (discussion on the specific behavior is still
> open).
>
> > Do they change the state of the policy?
>
> if you mean the set of rules i guess the answer is no (they should not
> change the rules).  but again, post-conditions are one of the issues
> which have not discussed fully.

Hmmmm, I really don't like the fact that these post conditions mandate
that some generic operation be performed, i.e. it could be used to alter
state, especially the state of the policy. I guess we should discuss this
further?

-Polar

> best
> -p
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC