[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE
>> In fact what we are discussing is that functions in the constraint may
>> "throw exception", beside
>> returning "true" or "false". I think we do need clear protocol to
>> communicate that - we should not
>> lump together a case when no applicable rule was found with the case of
>> database connection timed out..
>i fundamentally disagree. you are asking the the authorization decision
>conversation to encompass operational behaviors. to what end?
To the end of allowing to communicate "Not available" from "Not applicable"
That is a result of policy evaluation - three distinct. pricipally different outcomes:
decision/no applicable rules/could not evaluate.
You may do at the external protocol layer. I suggest we provide standard way of doing
that between PDP and PEP, not just leave it hanging.
>let's
>assume that there is a throw deep within the bowels of some external
>function during policy evaluation. what is the PEP supposed to do with
>that information?
What's it is supposed to do with GRANT? Or DENY? Whatever is appropriate in
a concrete application - that's not part of policy discription and policy query
protocols. We may state that PEP may treat ERROR==UNDETERMINATE by default,
but not providing a way to convey this fundamentally different state in the
response is not helpful in my opinion.
You will have exceptions. That's a fact. In one form or another.
Not having a clear strategy what to do with this will not make it more
robust or secure.
Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC