OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Rule References

On 6 June, bill parducci writes: Re: [xacml] Rule References
 > what i think we need to consider is what XACML is defined to achieve. if 
 > it is simply a mechanism for the *interchage* of policy information then 
 > the integrity of the policy demands that all externally referenced 
 > information be fully disclosed at the time of transfer (excluding 
 > *static* references like specifications, standards, etc.) this then 
 > means that an additional mechanism for the full disclosure of external 
 > references must be defined or that the the contents of these references 
 > be incorporated into the policy in expanded form.

Using XACML as a policy transfer language is only one of the
functions it was defined to achieve.  I see an even more
important function to be allowing standard PDPs to be
implemented, rather than requiring each application to implement
its own policy evaluation engine.

During a transition period, I expect many products to use XACML
primarily as a transfer language, which will be translated into
their existing "native" policy language prior to evaluation.  Use
of XACML in this way, however, typically means that the XACML
policies must be severely constrained, since it is hard to
translate the expressive logic of unconstrained XACML policies
into most existing application policy languages.  Constraining
the input XACML policies, however, means that the policy
administration tools must support the constraints, meaning that
"standard" policy administration tools can't be used.

I think the push over time will be for more products to use
native XACML evaluation engines.  I also expect that newer
products will start out with a native XACML evaluation engine.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]