Re: [xacml] proposed amendment to Polar's resolution of PM-2-05

[Anne Anderson - Sun Microsystems <Anne.Anderson@Sun.COM>]

Bill, could you explain your problem?  Sometimes a PEP does not want to
expose to the PDP all possible attribute values, but only those really 
needed.  By having the PDP supply a list of those attributes required 
for a decision, the PEP can send only those.  In fact, the PDP could
return a structured set of attributes: "I could return a decision if
you supply A, B, and C OR D and E."

Another case is to support the Java Policy "getPermissions" API.  In
this case, the PEP supplies a partial list of attributes, and gets back
a list of Permissions (resource/action pairs) that remain as the only
unknown attributes after substituting the supplied attributes into all
the Permit rules.  So far, Java Security developers have not indicated
any requirements for implementing this API, but it is a potential case.

Anne

"bill parducci" <bill@parducci.net> wrote:
>Date: Fri, 05 Apr 2002 15:09:34 -0800
>in a side discussion with polar it was my impresssion that this exchange
>excluded responses to a PEP. is this consistent with the understganding
>of others?
>
>i have a BIG problem with a a PDP returning anything to a PEP other than
>the decision/obligation, particularly if it provides information on how
>to acheive a decision.
>
>b
>
>> "Beznosov, Konstantin" wrote:
>> 
>> I suggest to amend the text of the resolution so that the above
>> fragment will read the following:
>
>The PDP MAY return an "authorization decision" of "indeterminate" with
>an error code of "insufficient information", signifying that more
>information needed. In this case, the "authorization decision" MAY list
>the names of any attributes of the subject and the resource that are
>needed by the PDP to refine its "authorization decision".
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>