RE: [xacml] [EXTERNAL] [xacml] Default behavior for unrecognized resourc

xacml message

Subject: RE: [xacml] [EXTERNAL] [xacml] Default behavior for unrecognized resource attributes?

From: Mohammad Jafari <mjafari@edmondsci.com>

To: William Parducci <bill@parducci.net>, Erik Rissanen <erik@axiomatics.com>

Date: Thu, 21 Jan 2016 04:10:15 +0000

I agree with Erick and Bill on this.

I also wanted to note that, where such metadata (e.g. version of the policy used in a specific decision) is important to the requester, it can be sent back by the <PolicyIdentifierList> element thereby letting the PDP record the fact that the decision has been made based on such and such version of such and such policy. I think this might be important in some cross-enterprise scenarios where different versions of a policy/attribute vocabulary might be in use.

Regards,

Mohammad

From: xacml@lists.oasis-open.org [xacml@lists.oasis-open.org] on behalf of William Parducci [bill@parducci.net]
Sent: Friday, January 15, 2016 7:36 AM
To: Erik Rissanen
Cc: Hal Lockhart; Martin Smith; XACML TC
Subject: Re: [xacml] [EXTERNAL] [xacml] Default behavior for unrecognized resource attributes?

On Jan 15, 2016, at 1:17 AM, Erik Rissanen <erik@axiomatics.com> wrote:

If you want to specify a mechanism of detecting this specific kind of error, it should be done by means of metadata. The PDP could publish a statement saying "I am operating with a policy which has been authored with the attributes foo, bar, ... in mind." Whether that means that all attributes are used or not is something which the policy author decides. In any case, the PEP can check whether the attributes it thinks are relevant have been taken into account when the policies were authored.

Agreed. This could also be handled by version information retained in PDP metadata. This is something that we discussed in the past. It is more general, but would ensure there isn’t an impedance mismatch on evaluation.