[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Help on Condition ? <-- Obligations
On Dec 12, 2008, at 12:03 PM, Oleg Gryb wrote: > Let us modify my example a bit by changing message to: "You've > exceeded the max of $10000 in 6-month period. If you want to > continue using the bill pay service, sign the agreement below". > > If a user signs the agreement bill pay functionality will be > enabled, otherwise the access will be denied. How is it different > from the "sign agreement" obligation that Yoichi was writing about? On one level they are the same in that there is an action that is expected by the PEP that is associated with the Decision. Where it gets messy is the chaff around the message. In Yoichi's case "sign" is an explicit PEP action that while still subject to implementation (as are all things in Obligations :( has a moderately quantifiable meaning to the PEP. In other words, it is telling the PEP to something: sign the payload. Your case is describes and Obligation that is effectively written to the Subject. The PEP somehow infers that it takes action. There are many ways to define what: custom delimiters, string structures, etc. but in my mind that makes a bad situation worse because it further extends localized logic. I personally don't find this type of compound logic appealing; it seems to me to be analogous to only having a single Rule that invokes http://myuri/doEverythingNecessary. I guess to some it sounds pedantic on my part but think of the Implications of Policy creation if, "You've exceeded the max of $10000 in 6-month period. If you want to continue using the bill pay service, sign the agreement below" is an actionable statement. Personally, I try to take the perspective of an auditor so things outside of the explicit Policy content or free form text instructions make we all squishy inside :) b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]