[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] AA45: make data-flow diagram consistent with 7.7 Use profilefor XACML request
TEXT LOCATION: 3.1 Data-flow model, Figure 1 - Data-flow diagram
TEXT CHANGE: Replace diagram with:
access requester --2. access request----> PEP --13. obligations--> obligations
| ^ service
| |
3. request 12. response
| |
| |
V |
PDP <--4. request notification---- context handler <---8. resource--> resource
content
---5. attribute queries------>
^ <--10. attributes------------
| --11. response context-------->
| | ^ ^
| | | |--9. environment--> environment
| | | attributes
| | |
| 6. attribute 7. attributes
| queries |
1. policy | |
| | |
| V |
PAP PIP
TEXT LOCATION: 3.1 Data-flow model, Steps 1-12
TEXT CHANGE: Replace text for steps as follows:
1. PAPs write policies and make them available to the PDP.
2. The access requester sends a request for access to the PEP.
3. The PEP sends the request for access to the context handler in
its native request format, optionally including additional
attributes of the subjects, resource and action. The
context handler translates the information in the native
request into a form consistent with an XACML Request Context
(see Section 7.7 Use profile for XACML request).
4. The PEP notifies the PDP that a request is available for
evaluation.
5. Based on its initial policy (see Section 7.1 Initial
policy), the PDP issues attribute queries to the context
handler based on the attributes required to evaluate the
initial policy and those policies referenced from it.
Attribute queries are expressed in the form of
AttributeDesignators or AttributeSelectors.
6. The context handler may issue attribute queries to a PIP in
order to resolve attributes not present in the native
request.
7. The PIP returns the requested attributes to the context
handler.
8. The context handler may optionally obtain information from
the resource itself.
9. The context handler may optionally obtain information from
the environment.
10. The context handler makes the requested attributes available
to the PDP "as if" the requested attributes were located in
a Request Context. The PDP evaluates the policy.
11. The PDP returns the response context (including its
decision) to the context handler.
12. The context handler translates the response context to the
native response format of the PEP. The context handler
returns the response to the PEP.
13. The PEP fulfills the obligations
14. (Not shown) if access is permitted, then the PEP permits
access to the resource; otherwise, it denies access.
RATIONALE: Make diagram and steps consistent with respect to
"notional" Request Context and how/when attributes are obtained.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC