Michiharu - Thanks for this proposal on
extensibility. I suspect that we will delay discussion of
extensibility points until the model is settled. However, it will
become important at that time.
In the model, as currently described, we do not include
separate elements for "grant" and "deny". Instead, the "deny"
semantics are provided by "and" and "not" ...
<and>
<predicate>grant_condition</predicate>
<not>
<predicate>deny_condition></predicate>
</not>
</and>
With this approach, no explicit grant element is
required: if the applicable policy evaluates TRUE, then the PDP may
return the saml "permit" status code.
All the best. Tim.
-----------------------------------------
Tim Moses
Tel:
613.270.3183
-----Original Message-----
From:
Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Monday, December 03, 2001 7:24 AM
To: xacml
Subject: [xacml]
[policy-model] A Proposal
I drew a picture about the desirable extensibility of
XACML policy model
based on the currently
proposed XACML language document.
(See attached file: ModelProposal.ppt)(See attached
file:
ModelProposal.pdf)
Best regards,
Michiharu
Kudo