OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] XACML 3.0 Obligations

You have to realize that there is a distinction between the decision produced by a PDP and the action taken by a PEP.


XACML defines precisely the conditions for all possible decisions of a PDP.


XACML only defines some of the required behavior of a PEP.


A few examples:


When a PDP says “Not applicable” some PDPs will deny access, some will  consult a different PDP.

When a PDP says “Indeterminate, missing attributes” some PDPs will locate additional attributes, some will deny access.

When a PEP asks for a hypothetical (what if) decision in order to analyze or debug policies, the PEP will take no enforcement action whatever, since there is no actual request to permit or deny. (Note that this does not violate the text you cite below.)


In the case you mention the PDP decision is “Permit” with Obligations. That ends the involvement of the PDP.


However XACML specifies that in such a case, if the PEP is unable to understand and comply with the Obligation, it MUST NOT permit access.


You could say that in this case, the PEP acts as if the PDP decision had been DENY. However, the actual PDP decision is still Permit with Obligations. If fact, the PDP has no way of knowing the PEP was unable to comply with the Obligations.




From: Andrea Margheri [mailto:margheri.andrea@gmail.com]
Sent: Thursday, May 03, 2012 2:02 PM
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] XACML 3.0 Obligations



I’m a student of University of Florence and I’m doing a master thesis on XACML 3.0 and the use of obligations. I’m trying to define a formal semantic for  XACML 3.0 and I don’t understand how Obligations are managed by the PEP with Base algorithm.  In fact in section 7.2.1 the standard says: “PEP shall permit access only if it understands and it can and will discharge those obligations”  but it doesn’t say which is the decision of PEP when it can’t understand the obligations, is it deny or indeterminate? And for a PDP authorization decision “Deny” with unsuccessful obligation, it becomes indeterminate?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]