[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [model] Proposal of Post Condition
Anne wrote: >I think I agree with Bill's position on this: the PDP should be >just an evaluation engine. It can not be held responsible for >enforcing any actions as a result of the evaluation. Post >conditions, if we use them, should just be values that are >returned to the PEP and are meaningful only to the PEP. It is up >to the PEP to enforce them. That's just what I was thinking. XACML should define specification of policy evaluation engine. For the log operation, I think that it can be divided into two categories. One is a PDP-level logging you mentioned. When PDP is configured to support the PDP-level logging, every access request and access decision might be logged. This is similar to the system log function in UNIX operating system. I think this is outside of the scope of the XACML. The other one is a policy-level logging using "log" post-condition. The policy writer can decide when and how the access is logged (the logging operation is enforced by PEP in this case). For example, a policy writer may need to check only write access requests on a specific resource requested in a certain time period. Then this is a kind of application-level access control policy rather than the system-level access control policy. In this case, XACML post-condition can support this. Best regards, Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 From: Anne Anderson <Anne.Anderson@Sun.com> on 2002/02/15 23:37 To: bill parducci <bill@parducci.net> cc: "XACML TC <xacml" Subject: Re: [xacml] [model] Proposal of Post Condition I think I agree with Bill's position on this: the PDP should be just an evaluation engine. It can not be held responsible for enforcing any actions as a result of the evaluation. Post conditions, if we use them, should just be values that are returned to the PEP and are meaningful only to the PEP. It is up to the PEP to enforce them. I think the semantics of post conditions are hard to manage in access control unless we want the PDP to be far more than an evaluation engine. The one strong argument for PDP-enforced post conditions I have heard is that certain actions should be logged by the PDP, showing exactly how the result was obtained. I think this can probably be an implementation feature for a PDP, managed by PDP configuration and outside of the scope of XACML. It is not part of a policy. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC