OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Proposed resolution to PM-1-02: Post-Conditions

I believe the following issue from Issues Version 05 for which Simon is
listed as the champion can be closed based on our latest Face-to-Face
agreements. Besides this resolution, I would like to raise a new issue
"Combiner example for obligations".

ISSUE: PM-1-02: Post-Conditions

We use the term "obligation" to mean what we have previously been calling
"post condition". The issue of the term is addressed in  PM-1-03.

The obligation is an annotation that MAY be specified in a policyStatement
and/or policyCombinationStatement that should be returned in conjunction
with access meaning that the obligation(s) should be executed in
conjunction with access. The obligation is specified using URI reference
with optional arguments. The processing rules of the obligation is defined
by ruleSet combiner or policySet combiner. XACML provides a couple of
combiner examples that deals with obligations in the informative section.
The actual meaning of each obligation differs from application. It also
depends on the configuration of the PEP and/or PDP. If the PEP does not
understand an obligation, the PEP should deny access. The PDP just collects
obligations.

(from F2F#4 minutes)
The set of obligations returned by each level of evaluation includes only
those obligations associated with the effect element being returned by the
given level of evaluation.  For example, a policy set may include some
policies that return Permit and other policies that return Deny for a given
request evaluation. If the policy combiner returns a result of Permit, then
only those obligations associated with the policies that returned Permit
are returned to the next higher level of evaluation.  If the PDP's
evaluation is viewed as a tree of policyCombinationStatements,
policyStatements, and rules, each of which returns "Permit" or "Deny", then
the set of obligations returned by the PDP will include only the
obligations associated paths where the effect at each level of evaluation
is the same as the effect being returned by the PDP.

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC