[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Another public comment on admin policy
I thought that this is exactly what the delegation proposal is trying to solve. The action of an administrative policy in the delegation draft is to create another policy. We then verify that with a multi stage evaluation procedure. However, to me "entitlement" means more than just access. If you have a "permission" it means you will be able to get access. However, if you have an "entitlement", it means that you have the right to access and the other party may not deny access to you. The difference doesn't make any sense in the scope of XACML alone, but is relevant in a contract framework. It could be the case that you are entitled to something according to a contract, and then denied access by an access control implementation of the counter party. This would mean a breach of contract and would lead to other actions to be taken, for instance compensation to be paid. But, as I said, entitlements in this sense are outside the scope of XACML. Best regards, Erik Daniel Engovatov wrote: > Maybe he is referring to delegation of entitlements - when the action of > a policy means "delegate" an effect of another policy - two stage > evaluation. That is not quite what the current delegation proposal is > trying to solve, is it? > Daniel; > > > -----Original Message----- > From: Erik Rissanen [mailto:mirty@sics.se] > Sent: Monday, May 29, 2006 8:31 AM > To: Anne.Anderson@sun.com > Cc: xacml; pog@itst.dk > Subject: Re: [xacml] Another public comment on admin policy > > Again, I don't quite understand this. Could you provide an example or > elaborate? > > However, it is possible to do a lot with custom policy combining > algorithms. I implemented my experimental delegation in XACML 1.1 using > obligations and a custom policy combining algorithm. > > Best regards, Erik > > > Anne Anderson wrote: > >> Erik? >> >> Regards, >> Anne >> >> >> > ------------------------------------------------------------------------ > >> Subject: >> [xacml-comment] Public Comment >> From: >> comment-form@oasis-open.org >> Date: >> Mon, 29 May 2006 12:22:35 +0000 >> To: >> xacml-comment@lists.oasis-open.org >> >> To: >> xacml-comment@lists.oasis-open.org >> >> Return-path: >> <xacml-comment-return-231-Anne.Anderson=sun.com@lists.oasis-open.org> >> Received: >> from sml-sfvt2a.sfvic.sunlabs.com ([152.70.2.220]) by >> mail-srv.sfvic.sunlabs.com (Sun Java System Messaging Server 6.1 >> HotFix 0.02 (built Aug 25 2004)) with ESMTP id >> <0J01008ZH12AOX00@mail-srv.sfvic.sunlabs.com> for >> aa74233@sml-sfvic-mail-swan.SFBay.Sun.COM; Mon, 29 May 2006 05:22:58 >> -0700 (PDT) >> Received: >> from sfbaymail1sca.SFBay.Sun.COM ([129.145.154.35]) by >> mail-swan.sfvic.sunlabs.com (Sun Java System Messaging Server 6.1 >> HotFix 0.02 (built Aug 25 2004)) with ESMTP id >> <0J0100GY312A8G00@mail-swan.sfvic.sunlabs.com> for >> aa74233@sml-sfvic-mail-swan.SFBay.Sun.COM (ORCPT >> Anne.Anderson@sun.com); Mon, 29 May 2006 05:22:58 -0700 (PDT) >> Received: >> from sunmail2.sfbay.sun.com (sunmail2.SFBay.Sun.COM [129.149.246.180]) >> by sfbaymail1sca.SFBay.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with >> ESMTP id k4TCMwtx020565 for <anne.anderson@sfbay.sun.com>; Mon, 29 May >> 2006 05:22:58 -0700 (PDT) >> Received: >> from nwk-avmta-1.SFBay.Sun.COM (nwk-avmta-1.SFBay.Sun.COM >> [129.149.246.28]) by sunmail2.sfbay.sun.com >> (8.11.7p1+Sun/8.11.7/ENSMAIL,v2.2) with ESMTP id k4TCMwu11651 for >> <@sunmail2.sfbay.sun.com:Anne.Anderson@sun.com>; Mon, 29 May 2006 >> 05:22:58 -0700 (PDT) >> Received: >> from pmxchannel-daemon.nwk-avmta-1.sfbay.Sun.COM by >> nwk-avmta-1.sfbay.Sun.COM (Sun Java System Messaging Server 6.2 (built >> Dec 2 2004)) id <0J0100L0N1270D00@nwk-avmta-1.sfbay.Sun.COM> for >> Anne.Anderson@sun.com (ORCPT Anne.Anderson@sun.com); Mon, 29 May 2006 >> 05:22:55 -0700 (PDT) >> Received: >> from brmea-mail-3.sun.com ([192.18.98.34]) by >> nwk-avmta-1.sfbay.Sun.COM (Sun Java System Messaging Server 6.2 (built >> Dec 2 2004)) with ESMTP id >> <0J0100JES126HX50@nwk-avmta-1.sfbay.Sun.COM> for Anne.Anderson@sun.com >> (ORCPT Anne.Anderson@sun.com); Mon, 29 May 2006 05:22:54 -0700 (PDT) >> Received: >> from relay21.sun.com (relay21.sun.com [192.12.251.14] (may be forged)) >> by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id k4TCMrfG000831 >> for <Anne.Anderson@sun.com>; Mon, 29 May 2006 06:22:54 -0600 (MDT) >> Received: >> from mms26es.sun.com (mms26es.sun.com [150.143.232.114]) by >> relay21.sun.com with ESMTP for Anne.Anderson@sun.com; Mon, 29 May 2006 >> 12:22:53 +0000 (Z) >> Received: >> from relay23.sun.com (relay23.sun.com [192.12.251.54]) by >> mms26es.sun.com with ESMTP for Anne.Anderson@sun.com; Mon, 29 May 2006 >> 12:22:51 +0000 (Z) >> Received: >> from mail.oasis-open.org ([209.202.168.106] [209.202.168.106]) by >> relay23.sun.com for Anne.Anderson@sun.com; Mon, 29 May 2006 12:22:51 >> +0000 (Z) >> Received: >> (qmail 13849 invoked by uid 508); Mon, 29 May 2006 12:22:38 +0000 >> Received: >> (qmail 13840 invoked by uid 60881); Mon, 29 May 2006 12:22:38 +0000 >> Sender: >> xacml-comment-return-231-Anne.Anderson=sun.com@lists.oasis-open.org >> Reply-To: >> pog@itst.dk >> Message-ID: >> <20060529122235.22617.qmail@eos.oasis-open.org> >> MIME-Version: >> 1.0 >> Content-type: >> TEXT/PLAIN >> Content-transfer-encoding: >> 7BIT >> Precedence: >> bulk >> Delivered-to: >> mailing list xacml-comment@lists.oasis-open.org >> Mailing-List: >> contact xacml-comment-help@lists.oasis-open.org; run by ezmlm >> X-PMX-Version: >> 5.1.2.240295 >> List-Post: >> <mailto:xacml-comment@lists.oasis-open.org> >> List-Subscribe: >> <mailto:xacml-comment-subscribe@lists.oasis-open.org> >> List-Unsubscribe: >> <mailto:xacml-comment-unsubscribe@lists.oasis-open.org> >> List-Help: >> <mailto:xacml-comment-help@lists.oasis-open.org> >> X-No-Archive: >> yes >> Original-recipient: >> rfc822;Anne.Anderson@sun.com >> >> >> Comment from: pog@itst.dk >> >> Name: Alt. Solution II >> Title: IT-architect >> Organization: ISK, ITST, MVTU >> Regarding Specification: XACML v3.0 administrative policy >> >> A remark on page 9: Has there been any consideration on using XACML as >> > is? > >> Delegation is one policy reformulated into a policy set and split into >> > two policies. > >> The Policy-Combining algorithm is given the existence of the original >> > policy as a prerequisite. > >> The first of the new policies describes the rule constraining the >> > relation between the original holder and new. > >> The second of the new policies describes the rule constraining the >> > relation between the new holder and the original resource. > >> Kind Regards >> Per-Olav Gramstad >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: xacml-comment-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: >> > xacml-comment-help@lists.oasis-open.org > >> >> >> > ------------------------------------------------------------------------ > >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. You may a link to this group and all your TCs in >> > OASIS > >> at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> > > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > _______________________________________________________________________ > Notice: This email message, together with any attachments, may contain > information of BEA Systems, Inc., its subsidiaries and affiliated > entities, that may be confidential, proprietary, copyrighted and/or > legally privileged, and is intended solely for the use of the individual > or entity named in this message. If you are not the intended recipient, > and have received this message in error, please immediately return this > by email and then delete it. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]