OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] [policy-model] A Proposal

Title: RE: [xacml] [policy-model] A Proposal

Michiharu - I suggest that we debate this on our call next Monday.

Personally, I am not in favour of separate elements for grant and deny.  I think it is redundant.  Readability is not so important, because I hope that humans will only read XACML documents directly for the purposes of debugging software.  Administrators (I hope) will use a tool with a more intuitive interface than an XML editor.

I certainly agree that we should define some extension points in the syntax.  And suggestions in this area are welcome.

All the best.  Tim.

Tim Moses
Tel: 613.270.3183

-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Tuesday, December 04, 2001 2:42 AM
To: xacml <xacml
Subject: RE: [xacml] [policy-model] A Proposal

Tim - I understand that both the deny_condition under <not> element and the
<deny> element means the same. But in some cases, it would be more
important to specify the denial rule more explicitly, in order to
facilitate readability of the policy rules mainly for the human policy
writers. Moreover I think that all SC members have agreed to the usefulness
of the denial rule after the long discussion. When people need to specify
denial rules, it would be nice to specify explicitly the "grant" semantic
basis in terms of exact specification. Considering the wide range of XACML
applications that the use case summary shows, I would prefer to specify
"grant" (or something like that) explicitly. I think this is consistent
with the ongoing policy model discussion.

Another aspect is that XACML users may want to extend the XACML semantic
basis according to their own policy definition. I think that Pierangela's
"only_if" semantic basis is one good example. Other people might think
another definition. My extensibility proposal also aims at these issues.

best regards,
Michiharu Kudo

From: Tim Moses <tim.moses@entrust.com> on 2001/12/04 04:19

Please respond to Tim Moses <tim.moses@entrust.com>

To:   xacml <xacml@lists.oasis-open.org>
Subject:  RE: [xacml] [policy-model] A Proposal

Michiharu - Thanks for this proposal on extensibility.  I suspect that we
will delay discussion of extensibility points until the model is settled.
However, it will become important at that time.

In the model, as currently described, we do not include separate elements
for "grant" and "deny".  Instead, the "deny" semantics are provided by
"and" and "not" ...


With this approach, no explicit grant element is required: if the
applicable policy evaluates TRUE, then the PDP may return the saml "permit"
status code.

All the best.  Tim.

Tim Moses
Tel: 613.270.3183

-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Monday, December 03, 2001 7:24 AM
To: xacml
Subject: [xacml] [policy-model] A Proposal

I drew a picture about the desirable extensibility of XACML policy model
based on the currently proposed XACML language document.

(See attached file: ModelProposal.ppt)(See attached file:

Best regards,
Michiharu Kudo

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC