Re: [xacml-comment] Policy question

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 7 September, Brian Hawkins writes: [xacml-comment] Policy question
 > I have a question about policy.  I guess it actually is a policy
 > question.
 >  
 > I would like to write in some policy language an answer to the "what do
 > I do now?" question.
 > For example, I ran out of disk space, now what do I do?
 >  
 > The answer would be "Perform the disk clean up operation and email the
 > admin".  I would like to do this in some policy language like XACML but
 > it does not seem to be quite right for the job.
 >  
 > Has anyone else encountered this or have any thoughts on it?

There is a term for the type of policy you describe:
Event-Condition-Action, or ECA.  This is a different type of
policy from that addressed by XACML.  While there is extensive
academic literature on this type of policy, and some work in the
DMTF PIM, I do not believe there are any approved standards for
languages addresing this type of policy.

XACML could be abused to sort of do the job by describing the
problem as XACML Attributes (e.g. ResourceAttribute
urn:oasis:...:resource-id="hard disk", ActionAttribute
urn:oasis:...:action-id="ran out"), having a Policy targetted at
these Attributes, and returning two Obligations: Attribute
urn:example:...:response-action="perform disk cleanup operation",
Attribute urn:example:...:response-action="email admin".  If you
need to keep track of state, the ID of the new State could also
be returned as an Obligation, and each Request could include the
most recently returned State as an input Attribute.  This was not
part of the requirements XACML was designed to address, however,
so this is not a standard solution.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692