[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Third-party Pre-Fetch of authorization decision
Seth's answer is probably the way to go. But another way to address the privacy considerations is to use a PDP that is local to the PEP (within the same administrative domain or even within the same application). Let the PEP's local PDP make the decision rather than going to some remote PDP with which privacy is a concern. The local PDP can retrieve the applicable policy using a SAML XACMLPolicyQuery. -Anne Cahill, Conor P wrote On 05/08/06 08:23,: > I and trying to specify the use of XACML in a situation where the > accessing party, knowing that an authrorization decision will be needed > by a PEP, requests in advance the authorization decision from the PDP > and pushes "the decision" with the resource access request to the PEP. > > We have a need to do this to cover two situations: a) the PDP may not > be visible to the PEP at resource access time and b) there may be > privacy considerations about the PDP knowing exactly what is accessed > when (so by asking in advance, the PDP doesn't know exactly what is done > and when it is done --- yes, fully admit that this is only adding a > little murkiness to what the PDP knows). > > I've poked about in the XACML specs (but clearly don't claim to "know" > them) and don't seem to be able to find this case described or > explicitly handled (the specs seem to revolve around the PEP asking the > PDP). > > Did I miss something or is this use case not considered in scope? If > not in scope, any advice on a "good" way to do this (from the XACML > point of view)? > > Conor > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]