OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Help on Condition ? <-- Obligations


What I mean is, if the Policy Decision was Denial and if you want to  
implement some dynamic and automatic "cause-for-denial" message in  
Obligation to explain how and why the Decision was made in plain  
English, you may find it difficult.

My Policies have hierarchical structure, and only some of them are  
application-based rules. Some of the Organizational rules, which the  
application must comply with have no place for the ned user to Oblige  
about them and the end user would not understand terms used in them.

Also, in your Use Case, you say that you would make the Obligation to  
accept the user agreeing to extend the account limit?

How would you automatically deduct what the Obligation conditions  
should be for the Denied Policy decision? There has to be some  
external mechanism, such as Obligation is to agree with the agreement  
= getAgreement(deniedCondition)?

The Policy may have several conditions positive or negative, any of  
those may determine the outcome (Permit or Deny) or combination of  
them may determine the outcome. Unless you can repeat them in the  
Obligations, you may not be able to specify what Obligation message is  
for what conditions. Of course, such would be duplicate of conditions  
in two places and would not be ideal.

Is this what you mean by "wrapping messages in conditions"?

As Bill (?) was saying, the messages should belong to "conditions"  
used in the decision making and maybe (not sure possible) to be  
automatically constructed or use a fixed messaged attached to  
conditions.

Say, if the condition was "where A=true or B=true", how do you attach  
the message? In one approach, it may generate different messages  
depending on the statuses of A and B.   What the Obligations may be in  
such cases??? That may be difficult.

The simpler approach, however, is to generate a simple "message" for  
the entire Policy condition lie. I would just return a preformed  
message attached with the entire condition line, not to do with the  
values of A and B.

If multiple lines were involved and the PDP engine may have to know  
how to compose a combined message from multiple sub-messages?

Bill, do you have Use Case to determine what Condition(s) were  
responsible and construct your "message" for reason why the Decision  
was made??? Or, is it much a simpler matter and I am overestimating  
the problem?

Thanks,
Yoichi

--------------------------------------------------------------------------
Yoichi Takayama, PhD
Senior Research Fellow
RAMP Project
MELCOE (Macquarie E-Learning Centre of Excellence)
MACQUARIE UNIVERSITY

Phone: +61 (0)2 9850 9073
Fax: +61 (0)2 9850 6527
www.mq.edu.au
www.melcoe.mq.edu.au/projects/RAMP/
--------------------------------------------------------------------------
MACQUARIE UNIVERSITY: CRICOS Provider No 00002J

This message is intended for the addressee named and may contain  
confidential information.  If you are not the intended recipient,  
please delete it and notify the sender. Views expressed in this  
message are those of the individual sender, and are not necessarily  
the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or  
Macquarie University.

On 12/12/2008, at 9:47 AM, Oleg Gryb wrote:

> Yes, explaining the reason might or might not be complex, it might  
> or might not have a practical sense, the user might or might not be  
> interested in additional details. Does it mean in your opinion that  
> such an explanation will never be useful?

smime.p7s



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]