OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Managing with XACML

it seems to me that the state issue only applies to asynchronous 
decision parameters (something that has caused much discussion with 
obligations! ;o). i am not suggesting that this be discounted but that i 
believe there is value in synchronous decision conditions.

for example a request to read a resource of www.foo.com with a decision 
of permit and the condition that access 10.1.1.1 be allowed (vs. an 
obligation of 'email admin') has a number of applications.

FWIW: i think that philosophically we actually have started to address 
this issue with our handling of hierarchical resources: 'can i access 
foo.xml? yes, node1, node3, node5...)'

b


Anne Anderson wrote:

> Tim,
> 
> I read over your paper, and find it interesting - it is pretty
> much what I have described to people as a "hack" if they want to
> do this type of thing with XACML.
> 
> A component your paper does not describe is "state": ECA policies
> often seem to use "state".  Part of the solution is simple: the
> Management Profile or Extension could require that the PDP return
> an Attribute containing the new state among the Obligations, and
> could require that the PEP pass in the most recently returned
> state Attribute with the next request.  One issue, however, is
> that, since Rules in multiple policies may be triggered, more
> than one "state" Attribute might be returned: how could this be
> managed theoretically and practically?  Another issue with state
> is what the state is associated with: is it a session that is
> maintained by the PEP, or is it an overall state maintained by
> the PDP?
> 
> While I think this would be useful work, I doubt I would have
> much time to devote to it.  If my role was merely to comment on a
> specification developed by someone else, I would be happy to do
> that.  There may be other people at Sun who would be interested
> in this, however, so I will ask around.
> 
> I want to have someone here who deals more with ECA policies to
> look it over and comment on other issues that might need to be
> considered.
> 
> Anne

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]