[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-comment] Re: Policy
Srilekha - My suggestion to you is that you lay out the use-case. If it is within the current charter of XACML, then the committee should explore whether it represents a common requirement and whether or not it is soluble with the current specification. You'll find a sample use-case document to use as a template at ... http://www.oasis-open.org/committees/download.php/1378/wd-xacml-wspl-use-cas es-03.pdf I look forward to reviewing your input. All the best. Tim. -----Original Message----- From: Srilekha Mudumbai [mailto:sri@jerichosystems.com] Sent: Wednesday, September 08, 2004 10:45 AM To: xacml-comment@lists.oasis-open.org Subject: [xacml-comment] Re: Policy Tim, I have to agree on the limitations of XACML as posted by you. XACML should address all the limitations so as to expand its horizon. One thing I wanted to do is to give some reasoning on a deny of access based on the business requirements iff required. The obligation was a choice but it is static and the reasoning is dynamic and may be on a per-user basis. That is where I had problems. First of all, I was not even aware if I could use obligation. Then Seth suggested me to do so because there was no better alternative. Regards Srilekha Srilekha Mudumbai Jericho Systems Dallas, Texas 972-231-2000 The information contained in this e-mail and all attachments transmitted with it is the Confidential and Proprietary information of Jericho Systems, Inc. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer -----Original Message----- From: Tim Moses [mailto:tim.moses@entrust.com] Sent: Tuesday, September 07, 2004 12:33 PM To: 'Brian Hawkins'; 'xacml-comment@lists.oasis-open.org' Subject: RE: [xacml-comment] Policy question Brian - Interesting. I would call your type of policy a "management" policy. XACML was designed as an "authorization" policy language. The result of evaluating a management policy is a set of actions. Whereas the result of evaluating an authorization policy is a boolean decision. XACML actually straddles the boundary between the two types of policy, though. It allows "side-effects" of the decision, in the form of obligations. There are a couple of deficiencies in XACML when used as a language for expressing management policies. Some of these are trivial, such as the lack of a combining algorithm that doesn't terminate prematurely and the fact that "effect" values of "permit" and "deny" are inappropriate in the absence of a decision. Others are more serious, such as the inability to express sequence and choice amongst obligations. Perhaps, XACML should extend its charter to address these questions. All the best. Tim. -----Original Message----- From: Brian Hawkins [mailto:bhawkins@novell.com] Sent: Tuesday, September 07, 2004 12:49 PM To: xacml-comment@lists.oasis-open.org Subject: [xacml-comment] Policy question I have a question about policy. I guess it actually is a policy question. I would like to write in some policy language an answer to the "what do I do now?" question. For example, I ran out of disk space, now what do I do? The answer would be "Perform the disk clean up operation and email the admin". I would like to do this in some policy language like XACML but it does not seem to be quite right for the job. Has anyone else encountered this or have any thoughts on it? Thanks Brian
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]