[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Obligations in Rules?
All,
Do we want obligations in rules? I think we should and if the general
opinion is that this is a good idea, could you let me know and I could
post a working draft with this change so review is quicker?
In short this change means that the Rule schema would be changed to this:
<xs:element name="Rule" type="xacml:RuleType"/>
<xs:complexType name="RuleType">
<xs:sequence>
<xs:element ref="xacml:Description" minOccurs="0"/>
<xs:element ref="xacml:Target" minOccurs="0"/>
<xs:element ref="xacml:Condition" minOccurs="0"/>
<xs:element ref="xacml:ObligationExpressions" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="RuleId" type="xs:string" use="required"/>
<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>
Note the new line "ObligationExpressions". (It's obligation expressions,
not obligations only because of the dynamic obligations change we made
last time.)
The semantics are the same as for obligations in policies, that is, if
the rule evaluates to a decision with a matching FullfilOn the
obligations are included in the result of that Rule.
Note that since a rule has a fixed Effect, either Permit or Deny, it
doesn't make sense to specify an obligation with the other decision in
the FullfilOn, but I don't think we should define a different schema
construct just for the obligation in the rule.
The benefit of all this is that if someone has a condition at the rule
level which he would like to associate with an obligation, then it would
not be necessary to wrap the rule inside a policy just to contain the
obligation.
Best regards,
Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]