[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Alternative to Michiharu's proposal. (fwd)
you only need to choose between 'a XACML' and 'an XACML', other than that i can live with it. :o) b Polar Humenn wrote: > Opps, I noticed a couple nuances when it came back to me as well. I'm done > for the day. A rewording based on Bill's suggestions: > > 7.1 Use Profile for XACML Request > ! This section describes the use profile for using an XACML PDP in an > application environment. This use profile covers the case of a PEP that is > configured to make authorization queries to a single PDP. PEP to multiple > PDP configurations are outside of the scope of this specification. > > An application functions in the role of the PEP if it guards access to a > particular resource and asks the PDP for an access decision. The PEP that > asks the PDP for an access decision SHALL abide by the result of that > access decision in the following way: > > A PEP SHALL allow access to the particular resource ONLY IF a valid XACML > response of "Permit" is returned by the PDP. The PEP SHALL deny access to ! the particular resource in all other cases. An XACML response of "Permit" > SHALL be considered valid ONLY IF the PEP understands all of the > obligations that may be contained in the response. > > A PEP that receives a valid XACML response of "Permit" with obligations > SHALL be responsible for fulfilling all of those obligations. A PEP that ! receives a XACML response of "Deny" with obligations SHALL be responsible > for fulfilling all of the obligations that it understands. > > --- > > Did I mess anything up? > > Cheers, > -Polar
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC