[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: access control information (formerly... Strawman)
It may or may not be a bank balance. That it is even a balance is somewhat immaterial, it is just intended as a concrete example of an attribute that may be associated with a requestor, the resolution of which is required to make a policy decision regarding the use of a resource. The resource itself may also have attributes associated with it that are referenced in a policy. (What a mouthful! Which is why I try to use concrete examples!)The choice of which attributes to use within policy statements is entirely up to the entity defining the policy. BTW, the above is what I intend and desire, it is not necessarily what will be the requirements that are established by the XACML group. > -----Original Message----- > From: Polar Humenn [mailto:polar@syr.edu] > Sent: Tuesday, June 12, 2001 5:35 AM > To: Simon Y. Blackwell > Cc: 'bill parducci'; 'xacml@lists.oasis-open.org' > Subject: RE: access control information (formerly... Strawman) > > > > One question, are you talking about having authorization information > included in credentials stating a persons particular bank balance? > > -Polar > > On Mon, 11 Jun 2001, Simon Y. Blackwell wrote: > > > The problem with "insufficient funds to access" is it requires an > > understanding of the meaning of the constraint "balance > > $5,000". (Yes, I > > know by policy example was not precisely in this form ...). > To avoid the > > requirement that the policy engine actually understand the > semantics of the > > constraint, I suppose it could return "balance < > ?required-amount" which > > would only require programming the policy engine such that > it understood the > > semantics of some finite set of operators. It still gets > pretty ugly though. > > > > > -----Original Message----- > > > From: bill parducci [mailto:bill@parducci.net] > > > Sent: Monday, June 11, 2001 3:53 PM > > > To: 'xacml@lists.oasis-open.org' > > > Subject: access control information (formerly... Strawman) > > > > > > > > > /* > > > For the most part these situations can be reduced to things > > > of the form > > > "If you don't tell me that I need a $5,000 balance to access your > > > services, how do I know what to do to comply?". > > > */ > > > > > > good point. however, should the response be 'you need > $5,000 to have > > > access' or 'insufficient funds to access'? i know to some > > > this may seem > > > pedantic, but the former message provides the requestor > with specific > > > information regarding your ACL. (imagine the case of 'denied: not > > > memeber of xyz group') > > > > > > /* > > > Once again, we should leave the decision whether or not to > > > expose policy > > > to the expression of the policy itself. > > > */ > > > ultimately, this may be the only workable solution. > (although, let's > > > shoot a couple of prisoners first and see how it goes to > make sure :o) > > > > > > b > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC