[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Obligations in Rules?
All, Do we want obligations in rules? I think we should and if the general opinion is that this is a good idea, could you let me know and I could post a working draft with this change so review is quicker? In short this change means that the Rule schema would be changed to this: <xs:element name="Rule" type="xacml:RuleType"/> <xs:complexType name="RuleType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target" minOccurs="0"/> <xs:element ref="xacml:Condition" minOccurs="0"/> <xs:element ref="xacml:ObligationExpressions" minOccurs="0"/> </xs:sequence> <xs:attribute name="RuleId" type="xs:string" use="required"/> <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> </xs:complexType> Note the new line "ObligationExpressions". (It's obligation expressions, not obligations only because of the dynamic obligations change we made last time.) The semantics are the same as for obligations in policies, that is, if the rule evaluates to a decision with a matching FullfilOn the obligations are included in the result of that Rule. Note that since a rule has a fixed Effect, either Permit or Deny, it doesn't make sense to specify an obligation with the other decision in the FullfilOn, but I don't think we should define a different schema construct just for the obligation in the rule. The benefit of all this is that if someone has a condition at the rule level which he would like to associate with an obligation, then it would not be necessary to wrap the rule inside a policy just to contain the obligation. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]