OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] [model] Proposal of Post Condition



Anne wrote:

>I think I agree with Bill's position on this: the PDP should be
>just an evaluation engine.  It can not be held responsible for
>enforcing any actions as a result of the evaluation.  Post
>conditions, if we use them, should just be values that are
>returned to the PEP and are meaningful only to the PEP.  It is up
>to the PEP to enforce them.

That's just what I was thinking. XACML should define specification of
policy evaluation engine.

For the log operation, I think that it can be divided into two categories.
One is a PDP-level logging you mentioned. When PDP is configured to support
the PDP-level logging, every access request and access decision might be
logged. This is similar to the system log function in UNIX operating
system. I think this is outside of the scope of the XACML.  The other one
is a policy-level logging using "log" post-condition. The policy writer can
decide when and how the access is logged (the logging operation is enforced
by PEP in this case). For example, a policy writer may need to check only
write access requests on a specific resource requested in a certain time
period. Then this is a kind of application-level access control policy
rather than the system-level access control policy. In this case, XACML
post-condition can support this.

Best regards,
Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428



From: Anne Anderson <Anne.Anderson@Sun.com> on 2002/02/15 23:37

To:   bill parducci <bill@parducci.net>
cc:   "XACML TC <xacml"
Subject:  Re: [xacml] [model] Proposal of Post Condition



I think I agree with Bill's position on this: the PDP should be
just an evaluation engine.  It can not be held responsible for
enforcing any actions as a result of the evaluation.  Post
conditions, if we use them, should just be values that are
returned to the PEP and are meaningful only to the PEP.  It is up
to the PEP to enforce them.

I think the semantics of post conditions are hard to manage in
access control unless we want the PDP to be far more than an
evaluation engine.

The one strong argument for PDP-enforced post conditions I have
heard is that certain actions should be logged by the PDP,
showing exactly how the result was obtained.  I think this can
probably be an implementation feature for a PDP, managed by PDP
configuration and outside of the scope of XACML.  It is not part
of a policy.

Anne
--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC