[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] 7.7 Obligations
i concur. b Michiharu Kudoh wrote: > I think XACML specification should basically focus on the functionality on > the PDP but it does not necessarily mean that it MUST NOT say anything > about entries other than PDP in the normative sections. For example, > Section 7.1 describes desirable behavior in "PEP", for example in line > 2636-2664. The following are excerpt: > > - If the "Permit" value is returned, then the PEP MAY permit access to the > resource. > - If the "Deny" value is returned, then the PEP SHALL deny access to the > resource. > - If the "Indeterminate" value is returned, it means that the PDP could not > make a decision. The PDP MAY return a decision value of "Indeterminate" > with a status code of "... missing-attribute", etc. > - If the "NotApplicable" is returned, it means that the PDP's policy is not > applicable to the request, implying that the PEP should send its request to > another PDP. > > The following are the text regarding obligations and I want to add in this > section: > > - If the "Permit with obligations(s)" value is returned, then the PEP MAY > permit access to the resource and PEP is responsible for fulfilling the > obligation(s). If there is an obligation that is not understandable by the > PEP, then the PEP SHALL deny access to the resource. > - If the "Deny with obligations(s)" value is returned, then the PEP SHALL > deny access to the resource and PEP is still responsible for fulfilling the > obligation(s). If there is an obligation that is not understandable by the > PEP, then the PEP SHALL raise an error. How and which error should be > raised is outside the scope of XACML. > > Michiharu Kudo > > IBM Tokyo Research Laboratory, Internet Technology > Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC