[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] The new advice "obligation"
On Dec 18, 2008, at 11:56 PM, Erik Rissanen wrote: > 2. Should it be possible to have this apply to NotApplicable as > well, not just Permit/Deny? > > I am asking since a customer of mine wanted to use obligations on > NotApplicable to return a reason for why access was not allowed. > > I haven't thought it through properly yet, but it seems like a good > idea. Typically I would expect policies to list stuff that is > allowed, with perhaps some exceptions which deny. In general it's a > good principle for security design to "enumerate goodness", rather > than to try to list everything which is bad/dangerous. If one does > so, if a policy does not match, it would be NotApplicable, not > Deny, so it would not be possible to return advice about what did > not match. If we don't allow advice on NotApplicable, then policy > writers need to refactor their policies to return Deny instead of > NotApplicable when they do not match. Does this mean that all Policies not applicable to a decision would return an Obligation? Taken one step further with the TC's current decision re: Obligations, that all Rules that are not applicable will return Obligations? Also, NotApplicable and "not allowed" are not explicitly correlated, since the latter is defined as a "Deny", so I am not sure I understand the use case fully. Are they looking for the logic behind each decision to be passed to the PEP? (Which could be unwieldy if the answer to my first question is yes :) thanks b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]