[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: The Hal/David model
And to follow up on one of Darren's points and bring things around to our most recent TC discussion... At 11:46 AM 3/23/01 -0800, Darren Platt wrote: >... >I believe a statement such as such as "user 'noddles' is granted 'execute' >on '/usr/bin/guitar'" is a statement of policy. This statement is not that >different from "users who are 6 feet tall are granted 'execute' on >'/usr/bin/guitar'" or "users who have the role 'musician' are granted >'execute' on '/usr/bin/guitar'". These latter two are clearly require a >'decision' to enforce and are therefore the input of the policy decision >point. I therefore don't think that this is something a PDP would pass to a >PEP, rather something a PDP might pass to another PDP. By their names, PDPs >and PEPs seem to me to be abstractions based on their functionality - so a >decision point evaluates policy and makes a decision, and an enforcement >point applies the decision. So, to simplify the logical perspective even more: decision PDP(policies, attributes) permission PEP(decision) ? Eve -- Eve Maler +1 781 442 3190 Sun Microsystems XML Technology Development eve.maler @ east.sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC