[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Multiple obligations
All, I don't think combining decisions and combining obligations are orthogonal. Consider the case of the following (agreed, contrived) policy structure: PS1 ordered-permit-overrides Target: printing-enabled-for-user = true resource-id = printing P2 ordered-deny-overrides R3 permit printing with obligation "invoice-printing-cost" R4 deny printing if authentication-level = basic P5 ordered-deny-overrides R6 permit printing if staff-member = true with obligation "log-printing" Assume following request: Subject: subject-id = alice staff-member = true authentication-level = basic printing-enabled-for-user = true Resource: resource-id = printing R3 and R4 and R6 will all apply. R3 because the basic rule is that anybody with printing enabled on their account can print (given that they are invoiced). Except that R4 denies a user who is using only basic authentication. And R6 allows staff members to print regardless of level of authentication (and for free, but we want to log the access). Clearly we would like to correlate obligation combining with the combining of the decision, so that we don't invoice the staff member, although one of the leaf rules matched. However the decision from that R3 was later overridden by another rule R4, so the _reason_ why the access was permitted was different than the conditions in R3, so we should not apply the obligations from R3, since they are relevant only to the situation which R3 was about. Best regards, Erik On 2011-06-07 15:35, remon.sinnema@emc.com wrote: > Paul, > > >> -----Original Message----- >> From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] >> Sent: Tuesday, June 07, 2011 3:12 PM >> To: Erik Rissanen; xacml@lists.oasis-open.org >> Subject: RE: [xacml] Multiple obligations >> >> I'm not sure we should tie obligation-combining with policy- or rule- >> combining, since they are really orthogonal concerns. > Obligations are to be returned from applicable rules *that were evaluated* (Section 7.18). Since the combining algorithms define which rules are evaluated, they also define which obligations are returned. So the two orthogonal concerns currently are tied. > > I agree that this is not optimal. > > > Thanks, > Ray >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]