[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue#61: WS-XACML: How are the contents of XACMLAuthzAssertionsrepresented in the base XACML Policies
61. WS-XACML: How are the contents of XACMLAuthzAssertions represented in the base XACML Policies
(Submitted by: Rich)
Reading the spec, it appeared to me that an important piece of info might be missing (or either I missed it or it intentionally is not there, but that's the point of this issue). As an entry point to this potential issue, consider statement in Section 4, p 23, para 2, that says
"For security reasons, many entities are unwilling to publish their complete authorization and access control policies. Therefore, an XACMLAuthzAssertion MAY not be a complete specification of an entity's authorization and access control policy. A service MAY choose to publish all or a subset of the XACMLauthorization or access control policy it will apply with respect to particular policy targets."
How are the subsets of the core xacml policies identified as to what should and should not be made public? Also, it would be of interest to see some example policies that contained entities that end up in the Capabilities and Requirements sections of the Assertions. I am particularly interested in how privacy requirements might be set up in the original policy since these are generally not part of the authorization process, per se', but possibly could be considered to be modelled as XACML Obligations. Any guidance on this in reply to issue or changes to doc would be much appreciated.