[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] retrieving a list or query filter of resources the caller is authorized for
It is my understanding that the Obligation is not to be used that way. It is to define enforceable or un-enforceable condition of use. That is sent to the execution system to act upon AFTER a PDP has passed the Decision Permit. (Obviously, in other Decisions, the Obligation is not used). How the Obligation is handled is not defined in XACML itself. So, maybe we can say that it is at the liberty of Obligation implementor and the execution system implementor. I think that an example was like; the user interface displays a dialog to ask the user to tick "I agree with these terms and conditions" and press OK (or disagree and cancel). In another case; if it required that the user is a member of a certain subscription or rights etc., the system may be able to check those attributes transparently. That is beyond XACML. This takes place only when the resource is about to be consumed by the end user. Yoichi On 16/04/2010, at 2:12 AM, Oleg Gryb wrote: > Paul, > > Multiple profile is defined and implemented by some engines in XACML 2.0 as well. > > Ralf, > Here is a solution that you might want to consider, but I'm not sure how pure it is from XACML point of view. Try to use obligation concept: the XAML resource in your solution should be a domain, not 2000 resources. The Obligation should be: "Show a list of all resources that this subject has access to". It's just an idea: I did something like that when was trying to implement "Display Authz Error Details" obligation. It was not easy, but doable. The policy might be complicated though with such an approach.