Groups - XACML 2.0 Interop Scenarios Version 0.10 (xacml-2.0-core-interop-draft-10-07.doc) uploaded

[rich.levinson@oracle.com]

This is the update mentioned in the previous email. The problem
with the previous version was that the PolicySet that was introduced
to Scenario 2 was using the PolicySet example in xacml-core
section 4.2.4.5 as a model. I suspected when I released the doc
that more work needed to be done there and proceeded with that
in parallel.

Thanks to some generous assistance from Anne Anderson, I received
guidance on how to use a Root PolicySet to initiate Policy execution.
i.e. given a collection of Policies and a Request, how does the PDP
know where to begin, and which Policies to include and which not.

This problem is partially addressed in Scenario 2 with the addition
of a Root PolicySet with the idea being that the PDP knows to begin
with that. The comments preceding that Root PolicySet indicate that
at this point we are really getting into vendor implementation area,
where
there are probably unlimited choices as to how to manage a collection
of policies and optimize their evaluation. I am assuming each vendor
already has their own solution to this problem and will have a means
to determine that PolicySet 01 should be evaluated for a "Buy" Action
on the "CustomerAccount" Resource.

In addition, the original PolicySet01 had some bugs that were addressed
by using PolicyIdReferences which follow the basic algorithm of Scenario
2,
which follows one more time with corrections:

   buy-total = buy-num-shares times buy-offer-price

   if ( (buy-total < current-credit) and
        (buy-total < trade-limit) )
    { return Permit (+ 3 display obligations) }
   else
     if ( (buy-total >= current-credit) and
          (req-credit-ext-approval = "true") )
       { Permit plus obligation to approve credit }
     if ( (buy-total >= trade-limit) and
          (req-trade-approval = "true") )
       { Permit plus obligation to approve trade }
     if ( ( (buy-total >= current-credit) and
            (req-credit-ext-approval = "true") ) or
          ( (buy-total >= trade-limit) and
            (req-trade-approval = "true") ) )
       { return Deny plus 3 display obligations (fulfill on deny) }
    else
       { return Permit plus 3 display obligations }

Note: there are 3 return points above all of which return
display obligations. Also note that the Permit obligations
are collected in the first 2 limit checks, but will be ignored
if Deny is ultimately returned, but if Permit is ultimately
returned then they are added to the 3 display obligations
that get put in the Response.

Note: the arithmetic is still not in the Rules for calculating the
thresholds. I will provide this later in the week, or others can
implement it if they have the cycles available.

Primary focus now is going to turn to the Policy Exchange
scenarios.

 -- Rich Levinson

The document revision named XACML 2.0 Interop Scenarios Version 0.10
(xacml-2.0-core-interop-draft-10-07.doc) has been submitted by Rich
Levinson to the OASIS eXtensible Access Control Markup Language (XACML) TC
document repository.  This document is revision #1 of
xacml-2.0-core-interop-draft-10-06.doc.

Document Description:
This document is in progress and is intended to be used for XACML 2.0
Interop Event planned to be conducted at and during the Burton Catalyst
Conference in San Francisco on Thursday, June 28, 2007.

It is expected there will be regular updates to this doc over the next 3
weeks.

View Document Details:
http://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=24241

Download Document:  
http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/24241/xacml-2.0-core-interop-draft-10-07.doc

Revision:
This document is revision #1 of xacml-2.0-core-interop-draft-10-06.doc. 
The document details page referenced above will show the complete revision
history.


PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration