[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] question on "obligation"
> Thank you for your answers. No problem. Sorry I've been slow on this response, but I've been travelling for the last week or so. Anyway... > (1) could the evaluation of a policy rule lead/point to a "next" rule > - example - if <condition> evaluates to true then go check the > following <rule>. You could consider this "nesting" of rules. As I > understand Effect and Obligation are to be carried out by the PEP and > I don't find means specified in the XACML spec to achieve that There is no explicit way to say "if the condition is true, then evaluate something else too." What you can do, however, is use a combining algorithm that gives you the same kind of behavior, which is what I tried to describe in my previous email. These let you say things like "if this rule evaluates to permit, then evaluate the next one too." Obligations, however, don't play into the at all. If you wanted, you could use an Obligation to tell the PEP to evaluate some extra Rule, but that's not what you're asking (I don't think). > (2) the PDP can -by means of policy rules- be instructed to carry out > a specific task (e.g. evaluating a successive policy, e.g. interacting > with a charging system, etc). Or are there other means that I > overlooked (for instructing the PDP by means of a policy rule) to > carry out a task? A PDP is only supposed to carry out one task, and that is evaluating policies. In the course of evaluting a policy, however, the PDP may evaluate some custom function, or interact with the system to (for example) retrieve an attribute value or an external policy. In these cases, the PDP may end up interacting with an external system. It's not always pretty, but it's certainly doable. My implementation gives you APIs for writing custom modules or functions, and within your code you're free to do anything you like. Does that answer your question? Typically, however, this isn't needed. A policy is created using combining algorithms to descirbe the relationships between rules and policies, and the policy may use external policies. A PDP evaluates this policy to derive an authorization decision, and part of that may include an Obligation for the PEP, which may in fact result in another query to the PDP. If you have a specific use case that isn't met by this model, I (and probably others) would be very interested to hear it to figure out the right approach. seth