[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Problem Statement for "Obligations in rule element"
This is a concrete problem statement for the XACML 1.1 work item titled " obligations in rule element". The current XACML spec allows to specify obligations in policy element. For example, you can specify the policy like "if the age of the requesting subject is equal or larger than 20, then access to resource A is allowed. If the age is between 16 to 20, then access is allowed provided the access is audited. Otherwise, access is denied". Description 1 shows a sample policy specification: - Description 1; <Policy PolicyId="P1"> <Target>resouce A</Target> <Rule Effect="Permit"> <Condition>if age is equal or larger than 20</Condition> </Rule> </Policy> <Policy PolicyId="P2"> <Target>resource A</Target> <Rule Effect="Permit"> <Condition>if age is between 16 and 20</Condition> </Rule> <Obligation>audit</Obligation> </Policy> The problem is that we need two policies that has the same target specification "resource A" and there are many duplication between two policiees. If we allow obligation in <Rule>, this becomes much more concise policy: - Description 2: <Policy PolicyId="P1"> <Target>resource A</Target> <Rule Effect="Permit"> <Condition>if age is equal or larger than 20</Condition> </Rule> <Rule Effect="Permit"> <Condition>if age is between 16 and 20</Condition> <Obligation>audit</Obligation> </Rule> </Policy> Therefore, XACML schema should support obligation specifcation at rule level. Michiharu Kudo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]