OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] on postconditions

Title: RE: [xacml] on postconditions
I clearly remember that the sense of the group was that the PDP MUST insure that an internal post condition occurs, but not necessarily before the permit decision is returned. Post conditions were never considered optional. They are just as required for "permit" as pre-conditions are. That was the rationale for the name.
 
Hal
-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Monday, January 14, 2002 2:33 PM
To: 'John Erickson'; xacml@lists.oasis-open.org
Subject: RE: [xacml] on postconditions

John,

The way I remember post-conditions discussions is that outcome of
internal postcondition does not affect the outcome of azn decision,
ie, first grant (or deny) is computed and then internal post-condition
is executed. If, for example, pdp fails to add a record
to the log it still returns computed outcome (grant or deny) to the pep.

So the internal post-condition may not be successfully executed by the pdp.

Simon

-----Original Message-----
From: John Erickson [mailto:john_erickson@hplb.hpl.hp.com]
Sent: Monday, January 14, 2002 11:14 AM
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] on postconditions


Simon writes:
> Post-condition is executed after the rule fires and does not affect
> grant/deny outcome of the rule.

I thought this was only true of *external* post-conditions? I thought that an
internal post-condition must be executed (by the PDP) BEFORE the response is
asserted, and therefore does affect the outcome...

The spec sez:
"...Post-condition - A process specified in a rule that must be completed in
conjunction with access. There are two types of post-condition: an internal
post-condition must be executed by the PDP prior to the issuance of a "permit"
response, and an external post-condition must be executed by the PEP prior to
permitting access..."

I'm assuming that the "musts" here imply that the required actions are
successfully executed. Is this not the case?

| John S. Erickson, Ph.D.
| Hewlett-Packard Laboratories
| PO Box 1158, Norwich, Vermont USA 05055
| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695 (fax)
| john_erickson@hpl.hp.com         AIM/YIM/MSN: olyerickson



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC