OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Third-party Pre-Fetch of authorization decision

I and trying to specify the use of XACML in a situation where the
accessing party, knowing that an authrorization decision will be needed
by a PEP, requests in advance the authorization decision from the PDP
and pushes "the decision" with the resource access request to the PEP.
We have a need to do this to cover two situations:  a) the PDP may not
be visible to the PEP at resource access time and b) there may be
privacy considerations about the PDP knowing exactly what is accessed
when (so by asking in advance, the PDP doesn't know exactly what is done
and when it is done --- yes, fully admit that this is only adding a
little murkiness to what the PDP knows).
I've poked about in the XACML specs (but clearly don't claim to "know"
them) and don't seem to be able to find this case described or
explicitly handled (the specs seem to revolve around the PEP asking the
Did I miss something or is this use case not considered in scope?  If
not in scope, any advice on a "good" way to do this (from the XACML
point of view)?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]