OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Help on Condition ? <-- Obligations



On Dec 12, 2008, at 9:47 AM, Oleg Gryb wrote:

> Yoichi,
>
> In your reasoning I don't really see a fundamental difference  
> between "sign an agreement" and "show a reason of denial"  
> obligations. In the latter case and in my example the "next step"  
> for the user may be signing up a fee-based agreement for the bill  
> payment service.

The position I have taken on the TC is that we should differentiate  
between Obligations (Decision + ACTION) and Causality (Decision +  
INFORMATION). The primary reason for this is that Obligations are  
becoming overloaded to the point that they are a general mechanism for  
anything not covered in the spec. There is currently a proposal to  
push Obligations to the Rule level (to solve some causality Use Cases)  
which I think will only exacerbate the problem.

My proposal therefore, is that we do not extend Obligations to the  
Rule level and we introduce a mechanism that is specifically intended  
for cause/advice responses. This doesn't solve my concern with  
Obligations but it does provide what I feel is a more precise  
mechanism for dealing with this aspect of the decision response.

The counter argument to my approach is that users will not be able to  
easily differentiate between what it "actionable" and what is  
"informational" so no additional benefit will be had from adding an  
explicit causal response mechanism (that is very similar to how  
Obligations work). For the specific case you have below I would answer  
that "sign" is a verb which makes this an ACTION. Therefore it would  
be an Obligation. "Show reason of denial" does not require action by  
the PEP so it would be an Advice (Cause, whatever we decide to call  
it :). As an Obligation the Policy Writer should be able to expect  
that the action will transpire and if not some sort of error condition  
will occur. The latter will not be bound to an explicit action and  
subsequent processing may or may not act independently from the  
original decision request/response.

I would be very interested in hearing what the user community thinks  
of this.

thanks

b


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]