[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Help on Condition ? <-- Obligations
Definitely a valid option. This is one of the approaches we began investigating on the wiki at the beginning of v3 (http://wiki.oasis-open.org/xacml ). Unfortunately, I got ambitious and attempted to create a combining framework and the scope spun out of control and there hasn't been interest until recently to consider this problem in the v3 timeframe. b On Dec 12, 2008, at 3:06 PM, Oleg Gryb wrote: > Bill, > > I see your point and think that your "quantification" argument is > valid, but I still think that a quantified action ("sign") and > additional information ("message") could be incorporated to > Obligation. I think it would be logical in the cases when latter is > related to the former (as in my example). > > I also think that whatever decision TC makes (message outside of > Obligation or message inside the Obligation, or both) the most > important thing is to allow expressions for building both "explicit > quantified actions" and "messy abstract messages" :) > > > --- On Fri, 12/12/08, Bill Parducci <bill@parducci.net> wrote: > >> From: Bill Parducci <bill@parducci.net> >> Subject: Re: [xacml-users] Help on Condition ? <-- Obligations >> To: oleg@gryb.info >> Cc: xacml-users@lists.oasis-open.org >> Date: Friday, December 12, 2008, 3:58 PM >> On Dec 12, 2008, at 12:03 PM, Oleg Gryb wrote: >> >>> Let us modify my example a bit by changing message to: >> "You've exceeded the max of $10000 in 6-month >> period. If you want to continue using the bill pay service, >> sign the agreement below". >>> >>> If a user signs the agreement bill pay functionality >> will be enabled, otherwise the access will be denied. How is >> it different from the "sign agreement" obligation >> that Yoichi was writing about? >> >> On one level they are the same in that there is an action >> that is expected by the PEP that is associated with the >> Decision. Where it gets messy is the chaff around the >> message. In Yoichi's case "sign" is an >> explicit PEP action that while still subject to >> implementation (as are all things in Obligations :( has a >> moderately quantifiable meaning to the PEP. In other words, >> it is telling the PEP to something: sign the payload. >> >> Your case is describes and Obligation that is effectively >> written to the Subject. The PEP somehow infers that it takes >> action. There are many ways to define what: custom >> delimiters, string structures, etc. but in my mind that >> makes a bad situation worse because it further extends >> localized logic. I personally don't find this type of >> compound logic appealing; it seems to me to be analogous to >> only having a single Rule that invokes >> http://myuri/doEverythingNecessary. >> >> I guess to some it sounds pedantic on my part but think of >> the Implications of Policy creation if, "You've >> exceeded the max of $10000 in 6-month period. If you want to >> continue using the bill pay service, sign the agreement >> below" is an actionable statement. Personally, I try to >> take the perspective of an auditor so things outside of the >> explicit Policy content or free form text instructions make >> we all squishy inside :) >> >> b >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> xacml-users-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: >> xacml-users-help@lists.oasis-open.org > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]