OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: access control information (formerly... Strawman)


It may or may not be a bank balance. That it is even a balance is somewhat
immaterial, it is just intended as a concrete example of an attribute that
may be associated with a requestor, the resolution of which is required to
make a policy decision regarding the use of a resource. The resource itself
may also have attributes associated with it that are referenced in a policy.
(What a mouthful! Which is why I try to use concrete examples!)The choice of
which attributes to use within policy statements is entirely up to the
entity defining the policy.

BTW, the above is what I intend and desire, it is not necessarily what will
be the requirements that are established by the XACML group.

> -----Original Message-----
> From: Polar Humenn [mailto:polar@syr.edu]
> Sent: Tuesday, June 12, 2001 5:35 AM
> To: Simon Y. Blackwell
> Cc: 'bill parducci'; 'xacml@lists.oasis-open.org'
> Subject: RE: access control information (formerly... Strawman)
> 
> 
> 
> One question, are you talking about having authorization information
> included in credentials stating a persons particular bank balance?
> 
> -Polar
> 
> On Mon, 11 Jun 2001, Simon Y. Blackwell wrote:
> 
> > The problem with "insufficient funds to access" is it requires an
> > understanding of the meaning of the constraint "balance > 
> $5,000". (Yes, I
> > know by policy example was not precisely in this form ...). 
> To avoid the
> > requirement that the policy engine actually understand the 
> semantics of the
> > constraint, I suppose it could return "balance < 
> ?required-amount" which
> > would only require programming the policy engine such that 
> it understood the
> > semantics of some finite set of operators. It still gets 
> pretty ugly though.
> >
> > > -----Original Message-----
> > > From: bill parducci [mailto:bill@parducci.net]
> > > Sent: Monday, June 11, 2001 3:53 PM
> > > To: 'xacml@lists.oasis-open.org'
> > > Subject: access control information (formerly... Strawman)
> > >
> > >
> > > /*
> > > For the most part these situations can be reduced to things
> > > of the form
> > > "If you don't tell me that I need a $5,000 balance to access your
> > > services, how do I know what to do to comply?".
> > > */
> > >
> > > good point. however, should the response be 'you need 
> $5,000 to have
> > > access' or 'insufficient funds to access'? i know to some
> > > this may seem
> > > pedantic, but the former message provides the requestor 
> with specific
> > > information regarding your ACL.  (imagine the case of 'denied: not
> > > memeber of xyz group')
> > >
> > > /*
> > > Once again, we should leave the decision whether or not to
> > > expose policy
> > > to the expression of the policy itself.
> > > */
> > > ultimately, this may be the only workable solution. 
> (although, let's
> > > shoot a couple of prisoners first and see how it goes to 
> make sure :o)
> > >
> > > b
> > >
> >
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC