OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Help on Condition ? <-- Obligations

Definitely a valid option. This is one of the approaches we began  
investigating on the wiki at the beginning of v3 (http://wiki.oasis-open.org/xacml 
). Unfortunately, I got ambitious and attempted to create a combining  
framework and the scope spun out of control and there hasn't been  
interest until recently to consider this problem in the v3 timeframe.


On Dec 12, 2008, at 3:06 PM, Oleg Gryb wrote:

> Bill,
> I see your point and think that your "quantification" argument is  
> valid, but I still think that a quantified action ("sign") and  
> additional information ("message") could be incorporated to  
> Obligation. I think it would be logical in the cases when latter is  
> related to the former (as in my example).
> I also think that whatever decision TC makes (message outside of  
> Obligation or message inside the Obligation, or both) the most  
> important thing is to allow expressions for building both "explicit  
> quantified actions" and "messy abstract messages" :)
> --- On Fri, 12/12/08, Bill Parducci <bill@parducci.net> wrote:
>> From: Bill Parducci <bill@parducci.net>
>> Subject: Re: [xacml-users] Help on Condition ? <-- Obligations
>> To: oleg@gryb.info
>> Cc: xacml-users@lists.oasis-open.org
>> Date: Friday, December 12, 2008, 3:58 PM
>> On Dec 12, 2008, at 12:03 PM, Oleg Gryb wrote:
>>> Let us modify my example a bit by changing message to:
>> "You've exceeded the max of $10000 in 6-month
>> period. If you want to continue using the bill pay service,
>> sign the agreement below".
>>> If a user signs the agreement bill pay functionality
>> will be enabled, otherwise the access will be denied. How is
>> it different from the "sign agreement" obligation
>> that Yoichi was writing about?
>> On one level they are the same in that there is an action
>> that is expected by the PEP that is associated with the
>> Decision. Where it gets messy is the chaff around the
>> message. In Yoichi's case "sign" is an
>> explicit PEP action that while still subject to
>> implementation (as are all things in Obligations :( has a
>> moderately quantifiable meaning to the PEP. In other words,
>> it is telling the PEP to something: sign the payload.
>> Your case is describes and Obligation that is effectively
>> written to the Subject. The PEP somehow infers that it takes
>> action. There are many ways to define what: custom
>> delimiters, string structures, etc. but in my mind that
>> makes a bad situation worse because it further extends
>> localized logic. I personally don't find this type of
>> compound logic appealing; it seems to me to be analogous to
>> only having a single Rule that invokes
>> http://myuri/doEverythingNecessary.
>> I guess to some it sounds pedantic on my part but think of
>> the Implications of Policy creation if, "You've
>> exceeded the max of $10000 in 6-month period. If you want to
>> continue using the bill pay service, sign the agreement
>> below" is an actionable statement. Personally, I try to
>> take the perspective of an auditor so things outside of the
>> explicit Policy content or free form text instructions make
>> we all squishy inside :)
>> b
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> xacml-users-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail:
>> xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]