Re: [xacml] The new advice "obligation"

[bill parducci <bill@parducci.net>]

On Dec 19, 2008, at 7:15 AM, Erik Rissanen wrote:
> What I mean is that if a PolicySet/Policy/Rule contains an <Advice  
> AppliesTo="NotApplicable">, then it would be returned to the PEP if  
> that policy was processed by the PDP and the final decision is  
> NotApplicable (and to be more precise, that particular NotApplicable  
> was "pushed up" all the way through combination).

Please bear with me on this since I am still a bit fuzzy... So, you  
are proposing that any Policy/Rule in the scope of the security  
infrastructure that doesn't lead to a Permit/Deny for a given request  
returns an Obligation should the ultimate result be Not Applicable?

> They want to put markers in parts of the policies, which they want  
> to show to the users if the final decision is NotApplicable. The  
> markers would give advice to the user about what was wrong with the  
> access request and the reason to why no policy applied to the request.

So, if I read of your proposal is correct, any Obligation marked  
AppliesTo="NotApplicable" in and Policy/Rule in the security realm--no  
matter who wrote it or the scope of the decision--would be sent back.  
For example a PDP that serves decisions for the front door access  
control and the accounting system would reply with any NotApplicable  
Obligations across domains should the ultimate decision be  
NotApplicable?

Is this correct?

thanks

b