OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] retrieving a list or query filter of resources the caller is authorized for


Yoichi,

I could see two problems here:

1. We've already discussed this in the past and some were saying that it's OK to use obligations like "Show Authz Error Details" in the case when a decision is "Deny". Difference in opinions means that use of oblogations is not defined well.
2. If Oblogations should not be used this way then what alternative do we have? I would suggest to add a field to a PDP response that is not of static type. It should be a XACML expression. Call it whatever you want, e.g. "Decision Details".

Ralf's use case provoked me to express some thoughts that you might not agree with,  but,  I think, they are important for somebody who tries to use XACML in their business applications: 

1. XACML - is not a complete, ready to use authorization solution, it's rather a brick, maybe even a corner stone, in your authz solution.
2. XACML practical value is very limited in many cases without PIP and PEP that are defined at conceptual level only.
3. In many cases you need to do a lot of plumbing around PEP and PIP to meet your business requirements.
4. XACML Policies are very rigid and lack dynamics of a programming language, thus you need to write your custom code somewhere else (e.g. in PEP and PIP services).


Thanks,
Oleg.


----- Original Message ----
From: Yoichi Takayama <takayama.yoichi@gmail.com>
To: Oleg Gryb <oleg@gryb.info>
Cc: "Tyson, Paul H" <PTyson@bellhelicopter.textron.com>; Ralf Lorenz <rol@mms-dresden.de>; xacml-users@lists.oasis-open.org
Sent: Fri, April 16, 2010 12:28:26 AM
Subject: Re: [xacml-users] retrieving a list or query filter of resources the caller is authorized for

It is my understanding that the Obligation is not to be used that way.

It is to define enforceable or un-enforceable condition of use.

That is sent to the execution system to act upon AFTER a PDP has passed the Decision Permit. (Obviously, in other Decisions, the Obligation is not used).

How the Obligation is handled is not defined in XACML itself. So, maybe we can say that it is at the liberty of Obligation implementor and the execution system implementor. I think that an example was like; the user interface displays a dialog to ask the user to tick "I agree with these terms and conditions" and press OK (or disagree and cancel). 

In another case; if it required that the user is a member of a certain subscription or rights etc., the system may be able to check those attributes transparently. That is beyond XACML.

This takes place only when the resource is about to be consumed by the end user.

Yoichi

On 16/04/2010, at 2:12 AM, Oleg Gryb wrote:

> Paul, 
> 
> Multiple profile is defined and implemented by some engines in XACML 2.0 as well.
> 
> Ralf,
> Here is a solution that you might want to consider, but I'm not sure how pure it is from XACML point of view. Try to use obligation concept: the XAML resource in your solution should be a domain, not 2000 resources. The Obligation should be: "Show a list of all resources that this subject has access to". It's just an idea: I did something like that when was trying to implement "Display Authz Error Details" obligation. It was not easy, but doable. The policy might be complicated though with such an approach.


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org


      


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]