[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Proposed resolution from PM-8-01 to PM-8-07
I believe the following issues from Issues Version 05 for which I am listed as the champion can be closed based on our latest Face-to-Face agreements: - ISSUE: PM-8-01: Internal v.s. External post conditions XACML does not support any distinction between internal obligation and external obligation. It depends on the configuration of PEP and/or PDP. - ISSUE: PM-8-02: Mandatory v.s. advisory post conditions XACML does not support any distinction between mandatory obligation and advisory obligation. The meaning of the obligation is determined in each application. - ISSUE: PM-8-03: Inapplicable The obligation is not returned to PEP when the authorization decision is determined as inapplicable or indeterminate. -ISSUE: PM-8-04: Base policy v.s. policy reference The obligation is specified in both policyStatement and policyCombinationStatement. The scope of the obligation is defined in ISSUE: PM-1-02 as "The set of obligations returned by each level of evaluation includes only those obligations associated with the effect element being returned by the given level of evaluation. For example, a policy set may include some policies that return Permit and other policies that return Deny for a given request evaluation. If the policy combiner returns a result of Permit, then only those obligations associated with the policies that returned Permit are returned to the next higher level of evaluation. If the PDP's evaluation is viewed as a tree of policyCombinationStatements, policyStatements, and rules, each of which returns "Permit" or "Deny", then the set of obligations returned by the PDP will include only the obligations associated paths where the effect at each level of evaluation is the same as the effect being returned by the PDP." -ISSUE: PM-8-05: How to return post-condition via SAML (I will post the resolution for this issue later) -ISSUE: PM-8-06: When to execute post condition When and how PEP executes obligation depends on each application. XACML (as PDP) does not assume any specific semantics. While obligation implies that specified operation must be dealt with prior to the requested access, it does not necessarily mean that the specified operations must be executed synchronously. Taking the obligatory operation usage scenario like "customers can register themselves with their private information provided that such information is deleted in 90 days--- obligation is delete-in-90days", it is impossible to execute "delete-in-90days" obligation prior to the requested access. It would be reasonable if such operation is queued in the application and guaranteed to be executed later. -ISSUE: PM-8-07: Extension point (line 1315 is typo, the issue number should be PM-8-07) Extension point of obligation is 1. obligationId in policyStatement or policyCombinationStatement and 2. ruleSet combiner or policySet combiner. This allows policy writers to specify arbitrary identifier of the user-defined obligation and to specify the semantics of how obligation is computed in response to the access request. Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC