OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Multiple obligations

All,

I don't think combining decisions and combining obligations are orthogonal.

Consider the case of the following (agreed, contrived) policy structure:

PS1 ordered-permit-overrides
   Target:
     printing-enabled-for-user = true
     resource-id = printing
   P2 ordered-deny-overrides
     R3 permit printing with obligation "invoice-printing-cost"
     R4 deny printing if authentication-level = basic
   P5 ordered-deny-overrides
     R6 permit printing if staff-member = true with obligation 
"log-printing"

Assume following request:

Subject:
   subject-id = alice
   staff-member = true
   authentication-level = basic
   printing-enabled-for-user = true
Resource:
   resource-id = printing

R3 and R4 and R6 will all apply. R3 because the basic rule is that 
anybody with printing enabled on their account can print (given that 
they are invoiced). Except that R4 denies a user who is using only basic 
authentication. And R6 allows staff members to print regardless of level 
of authentication (and for free, but we want to log the access).

Clearly we would like to correlate obligation combining with the 
combining of the decision, so that we don't invoice the staff member, 
although one of the leaf rules matched. However the decision from that 
R3 was later overridden by another rule R4, so the _reason_ why the 
access was permitted was different than the conditions in R3, so we 
should not apply the obligations from R3, since they are relevant only 
to the situation which R3 was about.

Best regards,
Erik


On 2011-06-07 15:35, remon.sinnema@emc.com wrote:
> Paul,
>
>
>> -----Original Message-----
>> From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com]
>> Sent: Tuesday, June 07, 2011 3:12 PM
>> To: Erik Rissanen; xacml@lists.oasis-open.org
>> Subject: RE: [xacml] Multiple obligations
>>
>> I'm not sure we should tie obligation-combining with policy- or rule-
>> combining, since they are really orthogonal concerns.
> Obligations are to be returned from applicable rules *that were evaluated* (Section 7.18). Since the combining algorithms define which rules are evaluated, they also define which obligations are returned. So the two orthogonal concerns currently are tied.
>
> I agree that this is not optimal.
>
>
> Thanks,
> Ray
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]