OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: remote PDP


I was thinking about remote PDPs. I thought that maybe there could be a authorization service in the enterprise. You go there and ask permission to do something. So, every app will have PEP, then PEP talks to a central PDP, which in turn evaluates the request and makes a decision.

The problem is that is there's not enough information in the Request, PDP will need to find missing attributes. These attributes are local to the application. What to do?

One solution is to centrally store policies in the registry, but evaluate them locally, i.e. PDP is local, not remote. I don't like this, because maybe it's not a good idea to have all policies open for retrieval. Maybe certain policies are confidential or secretm but they exist. 

I'd like to have one PDP for whole enterprise. Any thoughts?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]