RE: [xacml] on postconditions

[Simon Godik <sgodik@crosslogix.com>]

Title: RE: [xacml] on postconditions

John,

The way I remember post-conditions discussions is that outcome of
internal postcondition does not affect the outcome of azn decision,
ie, first grant (or deny) is computed and then internal post-condition
is executed. If, for example, pdp fails to add a record
to the log it still returns computed outcome (grant or deny) to the pep.

So the internal post-condition may not be successfully executed by the pdp.

Simon

-----Original Message-----
From: John Erickson [mailto:john_erickson@hplb.hpl.hp.com]
Sent: Monday, January 14, 2002 11:14 AM
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] on postconditions

Simon writes:
> Post-condition is executed after the rule fires and does not affect
> grant/deny outcome of the rule.

I thought this was only true of *external* post-conditions? I thought that an
internal post-condition must be executed (by the PDP) BEFORE the response is
asserted, and therefore does affect the outcome...

The spec sez:
"...Post-condition - A process specified in a rule that must be completed in
conjunction with access. There are two types of post-condition: an internal
post-condition must be executed by the PDP prior to the issuance of a "permit"
response, and an external post-condition must be executed by the PEP prior to
permitting access..."

I'm assuming that the "musts" here imply that the required actions are
successfully executed. Is this not the case?

| John S. Erickson, Ph.D.
| Hewlett-Packard Laboratories
| PO Box 1158, Norwich, Vermont USA 05055
| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695 (fax)
| john_erickson@hpl.hp.com         AIM/YIM/MSN: olyerickson

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>