OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Obligations: How can they be used?

Hi Mary.

On Thu, 2004-10-28 at 11:40, Mary Kolencik (siamese@bcpl.net) wrote:
> >FYI, there is a discussion list specific to the SunXACML implementation,
> >though I think you probably found it given your comment about mailing
> >lists. I know this is a general question, but I wanted to let you know
> >about the project-specific list, in case you hadn't found it yet..
> >
> I haven't found it, can you list a URL or something to subscribe?

Sure. Go to http://sourceforge.net/mail/?group_id=73884 to find info on
the lists. What I referenced is the sunxacml-discuss list which is a
list for general and project-specific topics. The list is open to
anyone, and there is a web-based archive. Hope this helps!

> On the topic of obligations, I gather that they only apply to
> permit and deny. Or can obligations be returned with not applicable
> and indeterminate as well? I'm thinking of the example of using
> obligations for tracking all access attempts to particular
> resources, in which case you would want the obligations passed
> up with na and indeterminate.

You're correct that they're only retrurned on Permit and Deny Decisions.
If the PDP arrives at a decision of NotApplicable then it means it
doesn't know anything about your query, so it shouldn't be able to
return an Obligation. In the case of Indeterminate it means that some
error occurred (ie, processing couldn't complete), so it would be
misleading to return an Obligation, although you could try including
some kind of custom status detail.

In general, if you need Obligations in all cases, then you should make
sure that your PDP always returns Permit or Deny. Granted, that's not
always easy (or possible), but it's the only way to always have
Obligations available.

Another model, which may not work for you, is to write some custom code
that recognizes when your specific resources are queried. You could then
track the Decision at the PDP and log to some service from there. This
would be pretty easy using my implementation (and probably others too),
but, of course, it's non-standard behavior. Sorry I can't offer you
other options..


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]