OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] question on "obligation"

> Thank you for your answers.

No problem. Sorry I've been slow on this response, but I've been 
travelling for the last week or so. Anyway...

> (1) could the evaluation of a policy rule lead/point to a "next" rule 
> - example - if <condition> evaluates to true then go check the 
> following <rule>. You could consider this "nesting" of rules. As I 
> understand Effect and Obligation are to be carried out by the PEP and 
> I don't find means specified in the XACML spec to achieve that

There is no explicit way to say "if the condition is true, then 
evaluate something else too." What you can do, however, is use a 
combining algorithm that gives you the same kind of behavior, which is 
what I tried to describe in my previous email. These let you say things 
like "if this rule evaluates to permit, then evaluate the next one 
too." Obligations, however, don't play into the at all. If you wanted, 
you could use an Obligation to tell the PEP to evaluate some extra 
Rule, but that's not what you're asking (I don't think).

> (2) the PDP can -by means of policy rules- be instructed to carry out 
> a specific task (e.g. evaluating a successive policy, e.g. interacting 
> with a charging system, etc). Or are there other means that I 
> overlooked (for instructing the PDP by means of a policy rule) to 
> carry out a task?

A PDP is only supposed to carry out one task, and that is evaluating 
policies. In the course of evaluting a policy, however, the PDP may 
evaluate some custom function, or interact with the system to (for 
example) retrieve an attribute value or an external policy. In these 
cases, the PDP may end up interacting with an external system. It's not 
always pretty, but it's certainly doable. My implementation gives you 
APIs for writing custom modules or functions, and within your code 
you're free to do anything you like. Does that answer your question?

Typically, however, this isn't needed. A policy is created using 
combining algorithms to descirbe the relationships between rules and 
policies, and the policy may use external policies. A PDP evaluates 
this policy to derive an authorization decision, and part of that may 
include an Obligation for the PEP, which may in fact result in another 
query to the PDP. If you have a specific use case that isn't met by 
this model, I (and probably others) would be very interested to hear it 
to figure out the right approach.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]