OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] question on "obligation"

Hi Seth,

Thank you for your answers. 

What I am trying to find out with the 2nd question is:

(1) could the evaluation of a policy rule lead/point to a "next" rule - example - if <condition> evaluates to true then go check the following <rule>. You could consider this "nesting" of rules. As I understand Effect and Obligation are to be carried out by the PEP and I don't find means specified in the XACML spec to achieve that (2) the PDP can -by means of policy rules- be instructed to carry out a specific task (e.g. evaluating a successive policy, e.g. interacting with a charging system, etc). Or are there other means that I overlooked (for instructing the PDP by means of a policy rule) to carry out a task?


 -----Original Message-----
From: 	Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM] 
Sent:	Wednesday, July 28, 2004 4:03 PM
To:	Paulus Karremans (RY/ETM)
Cc:	'xacml-dev@lists.oasis-open.org'
Subject:	Re: [xacml-dev] question on "obligation"

Hi Paulus.

> - May a PDP implementation call functions that are specified in the 
> <obligation>? So could the <obligation> specify functions to be called 
> *by the PDP* e.g. an external DataBase or e.g. a charging function.

No, a PDP may not intrepret or process anything in an Obligation. There 
are examples in the 1.x specifications that seem to imply otherwise 
(eg, using an AttributeSelector), which has caused a lot of confusion. 
That's supposed to be addressed in 2.0.

> - Another question that I have is - is it specified in the spec how to 
> specify a certain sequence of policies/policy rules that are to be 
> executed one after the other?

I'm not entirely sure I understand the question, but I think you're 
asking about combining algorithms. For instance, the ordered algorithms 
specify that all elements of a Policy[Set] must be evaluated in order. 
Some of the algorithms have short-circuit behavior too, so may not need 
to evaluate all children to come up with a decision.

Are you asking if, given N Policy[Set]s, you can tell the PDP in a 
standard way to evaluate them in order, the answer is no. A PDP may 
only ealuate a single Policy[Set] in response to some Request. In your 
system, however, you can dynamically group all your policies under a 
single PolicySet, and define the combining algorithm such that you get 
the beahvior you want. In my SunXACML project, for example, the 
PolicyFinderModule interface that you use makes this really easy to do.

Did that help, or am I missing the question?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]