OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] AA45: make data-flow diagram consistent with 7.7 Use profilefor XACML request

TEXT LOCATION: 3.1 Data-flow model, Figure 1 - Data-flow diagram
TEXT CHANGE: Replace diagram with:

access requester --2. access request----> PEP --13. obligations--> obligations
                                          | ^                      service
                                          | |
                                 3. request 12. response
                                          | |
                                          | |
                                          V |
PDP <--4. request notification---- context handler <---8. resource--> resource
    ---5. attribute queries------>            
 ^  <--10. attributes------------             
 |  --11. response context-------->
 |                                       |  ^    ^
 |                                       |  |    |--9. environment--> environment
 |                                       |  |          attributes
 |                                       |  |
 |                            6. attribute  7. attributes
 |                                 queries  |
1. policy                                |  |
 |                                       |  |
 |                                       V  |
PAP                                      PIP

TEXT LOCATION: 3.1 Data-flow model, Steps 1-12
TEXT CHANGE: Replace text for steps as follows:

  1. PAPs write policies and make them available to the PDP.
  2. The access requester sends a request for access to the PEP.
  3. The PEP sends the request for access to the context handler in
     its native request format, optionally including additional
     attributes of the subjects, resource and action.  The
     context handler translates the information in the native
     request into a form consistent with an XACML Request Context
     (see Section 7.7 Use profile for XACML request).
  4. The PEP notifies the PDP that a request is available for
  5. Based on its initial policy (see Section 7.1 Initial
     policy), the PDP issues attribute queries to the context
     handler based on the attributes required to evaluate the
     initial policy and those policies referenced from it.
     Attribute queries are expressed in the form of
     AttributeDesignators or AttributeSelectors.
  6. The context handler may issue attribute queries to a PIP in
     order to resolve attributes not present in the native
  7. The PIP returns the requested attributes to the context
  8. The context handler may optionally obtain information from
     the resource itself.
  9. The context handler may optionally obtain information from
     the environment.
  10. The context handler makes the requested attributes available
      to the PDP "as if" the requested attributes were located in
      a Request Context.  The PDP evaluates the policy.
  11. The PDP returns the response context (including its
      decision) to the context handler.
  12. The context handler translates the response context to the
      native response format of the PEP.  The context handler
      returns the response to the PEP.
  13. The PEP fulfills the obligations
  14. (Not shown) if access is permitted, then the PEP permits
      access to the resource; otherwise, it denies access.

RATIONALE: Make diagram and steps consistent with respect to
"notional" Request Context and how/when attributes are obtained.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC