Re: Policy

["Srilekha Mudumbai" <sri@jerichosystems.com>]

Tim,
 
I have to agree on the limitations of XACML as posted by you. XACML
should address all the limitations so as to expand its horizon. 

One thing I wanted to do is to give some reasoning on a deny
of access based on the business requirements iff required. The
obligation was a choice but it is static and the reasoning is 
dynamic and may be on a per-user basis. That is where I had
problems. First of all, I was not even aware if I could 
use obligation. Then Seth suggested me to do so because there 
was no better alternative.
 
Regards
Srilekha
 
Srilekha Mudumbai
 
Jericho Systems
Dallas, Texas
972-231-2000
 
 
The information contained in this e-mail and all attachments transmitted
with it is the Confidential and Proprietary information of Jericho
Systems, Inc. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution, copying, or other use of this message or
its attachments is strictly prohibited. If you have received this
message in error, please notify the sender immediately by replying to
this message and please delete it from your computer
 
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com] 
Sent: Tuesday, September 07, 2004 12:33 PM
To: 'Brian Hawkins'; 'xacml-comment@lists.oasis-open.org'
Subject: RE: [xacml-comment] Policy question
 
Brian - Interesting.  I would call your type of policy a "management"
policy.  XACML was designed as an "authorization" policy language.  The
result of evaluating a management policy is a set of actions.  Whereas
the result of evaluating an authorization policy is a boolean decision.
 
XACML actually straddles the boundary between the two types of policy,
though.  It allows "side-effects" of the decision, in the form of
obligations.
 
There are a couple of deficiencies in XACML when used as a language for
expressing management policies.  Some of these are trivial, such as the
lack of a combining algorithm that doesn't terminate prematurely and the
fact that "effect" values of "permit" and "deny" are inappropriate in
the absence of a decision.  Others are more serious, such as the
inability to express sequence and choice amongst obligations.
 
Perhaps, XACML should extend its charter to address these questions.
 
All the best.  Tim.
-----Original Message-----
From: Brian Hawkins [mailto:bhawkins@novell.com] 
Sent: Tuesday, September 07, 2004 12:49 PM
To: xacml-comment@lists.oasis-open.org
Subject: [xacml-comment] Policy question
I have a question about policy.  I guess it actually is a policy
question.
 
I would like to write in some policy language an answer to the "what do
I do now?" question.
For example, I ran out of disk space, now what do I do?
 
The answer would be "Perform the disk clean up operation and email the
admin".  I would like to do this in some policy language like XACML but
it does not seem to be quite right for the job.
 
Has anyone else encountered this or have any thoughts on it?
 
Thanks
Brian