Re: [xacml-users] Help on Condition ? <-- Obligations

[Bill Parducci <bill@parducci.net>]

On Dec 12, 2008, at 12:03 PM, Oleg Gryb wrote:

> Let us modify my example a bit by changing message to: "You've  
> exceeded the max of $10000 in 6-month period. If you want to  
> continue using the bill pay service, sign the agreement below".
>
> If a user signs the agreement bill pay functionality will be  
> enabled, otherwise the access will be denied. How is it different  
> from the "sign agreement" obligation that Yoichi was writing about?

On one level they are the same in that there is an action that is  
expected by the PEP that is associated with the Decision. Where it  
gets messy is the chaff around the message. In Yoichi's case "sign" is  
an explicit PEP action that while still subject to implementation (as  
are all things in Obligations :( has a moderately quantifiable meaning  
to the PEP. In other words, it is telling the PEP to something: sign  
the payload.

Your case is describes and Obligation that is effectively written to  
the Subject. The PEP somehow infers that it takes action. There are  
many ways to define what: custom delimiters, string structures, etc.  
but in my mind that makes a bad situation worse because it further  
extends localized logic. I personally don't find this type of compound  
logic appealing; it seems to me to be analogous to only having a  
single Rule that invokes http://myuri/doEverythingNecessary.

I guess to some it sounds pedantic on my part but think of the  
Implications of Policy creation if, "You've exceeded the max of $10000  
in 6-month period. If you want to continue using the bill pay service,  
sign the agreement below" is an actionable statement. Personally, I  
try to take the perspective of an auditor so things outside of the  
explicit Policy content or free form text instructions make we all  
squishy inside :)

b