OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] question on "obligation"

Hi Paulus.

> - May a PDP implementation call functions that are specified in the 
> <obligation>? So could the <obligation> specify functions to be called 
> *by the PDP* e.g. an external DataBase or e.g. a charging function.

No, a PDP may not intrepret or process anything in an Obligation. There 
are examples in the 1.x specifications that seem to imply otherwise 
(eg, using an AttributeSelector), which has caused a lot of confusion. 
That's supposed to be addressed in 2.0.

> - Another question that I have is - is it specified in the spec how to 
> specify a certain sequence of policies/policy rules that are to be 
> executed one after the other?

I'm not entirely sure I understand the question, but I think you're 
asking about combining algorithms. For instance, the ordered algorithms 
specify that all elements of a Policy[Set] must be evaluated in order. 
Some of the algorithms have short-circuit behavior too, so may not need 
to evaluate all children to come up with a decision.

Are you asking if, given N Policy[Set]s, you can tell the PDP in a 
standard way to evaluate them in order, the answer is no. A PDP may 
only ealuate a single Policy[Set] in response to some Request. In your 
system, however, you can dynamically group all your policies under a 
single PolicySet, and define the combining algorithm such that you get 
the beahvior you want. In my SunXACML project, for example, the 
PolicyFinderModule interface that you use makes this really easy to do.

Did that help, or am I missing the question?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]