OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: The Hal/David model


And to follow up on one of Darren's points and bring things around to our 
most recent TC discussion...

At 11:46 AM 3/23/01 -0800, Darren Platt wrote:
>...
>I believe a statement such as such as "user 'noddles' is granted 'execute'
>on '/usr/bin/guitar'" is a statement of policy.  This statement is not that
>different from "users who are 6 feet tall are granted 'execute' on
>'/usr/bin/guitar'" or "users who have the role 'musician' are granted
>'execute' on '/usr/bin/guitar'".  These latter two are clearly require a
>'decision' to enforce and are therefore the input of the policy decision
>point.  I therefore don't think that this is something a PDP would pass to a
>PEP, rather something a PDP might pass to another PDP.  By their names, PDPs
>and PEPs seem to me to be abstractions based on their functionality - so a
>decision point evaluates policy and makes a decision, and an enforcement
>point applies the decision.

So, to simplify the logical perspective even more:

decision PDP(policies, attributes)
permission PEP(decision)

?

         Eve
--
Eve Maler                                             +1 781 442 3190
Sun Microsystems XML Technology Development  eve.maler @ east.sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC