OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] on postconditions


Title: on postconditions

Post-condition is executed after the rule fires and does not affect grant/deny
outcome of the rule.

With this definition we can not predict which poscondition(s) will be executed for a given
authorization request. This is not desirable.

One way to make post-conditions predictable is to associate post condition not with a rule
but with the outcome of grant or deny, eg:
on_grant do_something
on_deny do_something

That means every time any subject is granted (or denied) action on any resource all post-conditions
listed in on_grant (or on_deny) will be predictably executed.

on_grant and on_deny post-conditions could be associated with specific action, subject, resource
triplet, meaning that given post-condition will be executed every time subject is granted or denied
permission to access resource.
on_grant(action, subject, resource) do_something;
on_deny(action, subject, resource) do_something;

Simon Godik



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC