OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Rule References

Polar Humenn wrote:

> Once rules incorporated referenced from outside the policy, it becomes 
> unwieldy, as you cannot specify the evaluation semantics of a policy in 
> the face of dynamically updating outside rules.

it's not 'outside of the policy' so much as 'outside of the system' that 
i think causes the problems. this is a very appealing administrative 
feature; assume that you have rule that is used in a large number of 

grant access X if Y

where Y is some common condition like business hours. referential rules 
will allow you to change a single rule for numerous policies in one 
place. from a physical standpoint this greatly reduces the chance for 
typographical error and ensures consistency across all policies 
'subscribed' to the rule.

semantic definition is still possible, but it is limited to a 'closed 
system' (where updates to rules--or components of rules--stimulate the 
system to reevaluate affected polices). not sure if this [closed system] 
is a practical limitation, and it is unenforceable (particularly if 
defined as an URI).

i find the overall concept attractive from an administration and policy 
storage perspective, but only as an implementation specific optimization 
mechanism. personally, i do it now for policy storage by *internally* 
indexing virtually all policy components; none of it is apparent to the 
XACML interface (not that it could handle it).

what i think we need to consider is what XACML is defined to achieve. if 
it is simply a mechanism for the *interchage* of policy information then 
the integrity of the policy demands that all externally referenced 
information be fully disclosed at the time of transfer (excluding 
*static* references like specifications, standards, etc.) this then 
means that an additional mechanism for the full disclosure of external 
references must be defined or that the the contents of these references 
be incorporated into the policy in expanded form.

neither is particularly appealing, so i would tend to agree that rule 
references are NOT practical in the scope of the XACML standard as i 
understand it. (the logic of which cascades down to conditions and 
obligations as well).


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]