RE: [xacml] Multiple actions per decision request

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: Multiple actions per decision request

I agree XACML should settle this in the context of proposed changes to the decision request and repsonse protocol.

 

Personally I am in favor of limiting this, but I will state the counter argument for the record.

 

If the possible Actions correspond to what can be in the request, then this works fine. The only reason for multiple actions would be some sort of policy provisioning requirement.

 

However, if the Actions are more like privileges or permission bits, and do not match allowable requests one for one, then some requests may require the AND or OR of several actions. I believe this is the motive behind suggesting multiple actions.

 

I don't see any rush on this as we are not close to proposing changes to the decision protocol yet.

 

Hal

-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Friday, October 26, 2001 4:03 PM
To: 'XACML'
Subject: [xacml] Multiple actions per decision request

Colleagues - In the SAML issues document,

http://www.oasis-open.org/committees/security/docs/draft-sstc-core-discussion-01.doc

... Issue 5.1.15.2 seeks guidance on whether multiple "actions" can be specified in a single decision request.

I feel that XACML should answer this question and send its conclusion in a liaison to SAML.

My feeling is that the answer is "No".  If "applicable policy" is to be identified with the resource/action pair, then multiple "applicable policies" are involved when multiple actions are involved.  Much "cleaner" for there to be a single "applicable policy" for each decision request.  And, therefore, a single action per decision request.  It is no great hardship to submit multiple decision requests, in the event that you need a decision for each of several actions.

Any thoughts?  All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183