OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Alternative to Michiharu's proposal. (fwd)


since it seems that the 'an's have it, here is what the proposal for the final text for section 7.1:


7.1 Use Profile for XACML Request
This section describes the use profile for using an XACML PDP in an application environment. This use profile covers the case of a PEP that is
configured to make authorization queries to a single PDP. PEP to multiple PDP configurations are outside of the scope of this specification.

An application functions in the role of the PEP if it guards access to a particular resource and asks the PDP for an access decision. The PEP that
asks the PDP for an access decision SHALL abide by the result of that access decision in the following way:

A PEP SHALL allow access to the particular resource ONLY IF a valid XACML response of "Permit" is returned by the PDP. The PEP SHALL deny access to the particular resource in all other cases. An XACML response of "Permit" SHALL be considered valid ONLY IF the PEP understands all of the obligations that may be contained in the response.

A PEP that receives a valid XACML response of "Permit" with obligations SHALL be responsible for fulfilling all of those obligations. A PEP that receives an XACML response of "Deny" with obligations SHALL be responsible for fulfilling all of the obligations that it understands.

b 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC