[xacml] Alternative to Michiharu's proposal. (fwd)

[Polar Humenn <polar@syr.edu>]

Opps, I noticed a couple nuances when it came back to me as well. I'm done
for the day. A rewording based on Bill's suggestions:

7.1 Use Profile for XACML Request

This section describes the use profile for using an XACML PDP in an
application environment. This use profile covers the case of a PEP that is
configured to make authorization queries to a single PDP. PEP to multiple
PDP configurations are outside of the scope of this specification.

An application functions in the role of the PEP if it guards access to a
particular resource and asks the PDP for an access decision. The PEP that
asks the PDP for an access decision SHALL abide by the result of that
access decision in the following way:

A PEP SHALL allow access to the particular resource ONLY IF a valid XACML
response of "Permit" is returned by the PDP. The PEP SHALL deny access to
the particular resource in all other cases. An XACML response of "Permit"
SHALL be considered valid ONLY IF the PEP understands all of the
obligations that may be contained in the response.

A PEP that receives a valid XACML response of "Permit" with obligations
SHALL be responsible for fulfilling all of those obligations. A PEP that
receives a XACML response of "Deny" with obligations SHALL be responsible
for fulfilling all of the obligations that it understands.

---

 Did I mess anything up?

Cheers,
-Polar


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>