Re: [xacml] Issue#12: Obligations: Chronicle Attribute

[Anil Saldhana <Anil.Saldhana@redhat.com>]

There is a notion of priority in the obligations under proposal. The 
addition of timing seems appropriate as an addition.

Anne Anderson wrote:
> We have received a proposal to add timing of obligation fulfilment as 
> a use case for our generalized Obligations work. I think this use case 
> is well-supported and should be incorporated into our work. I am 
> forwarding the proposal for those of you not on xacml-users.
>
> Regards,
> Anne
>
> ------------------------------------------------------------------------
>
> Subject:
> [xacml-users] Chronicle Attribute
> From:
> David Chadwick <d.w.chadwick@kent.ac.uk>
> Date:
> Fri, 25 May 2007 18:23:56 +0100
> To:
> xacml-users@lists.oasis-open.org
>
> To:
> xacml-users@lists.oasis-open.org
>
>
> Dear List
>
> in our recent research with Grid coordinated access control decision 
> making, we used obligations to update a coordination database to 
> record details of a users actions. The coordination database performs 
> the same function as the retained ADI in ISO 10181-3. In this way we 
> can implement applications such as ATM machine cash withdrawals over a 
> distributed network using multiple stateless PDPs (such as the XACML 
> PPD), and ensure that a user does not withdraw more than X amount per 
> day from whichever machine he goes to.
>
> We have presented two papers about this, at Policy 2006 and MGC 2006.
>
> David W Chadwick, Linying Su, Oleksandr Otenko, Romain Laborde. 
> “Coordination between Distributed PDPs”. Proc of 7th IEEE 
> International Workshop on Policies for Distributed Systems and 
> Networks, London, Ontario, 5-7June 2006 pp163-172.
>
> David W Chadwick, Linying Su, Romaine Laborde. “Providing Secure 
> Coordinated Access to Grid Services”. Proceedings of 4th International 
> Workshop on Middleware for Grid Computing - MGC 2006, In conjunction 
> with ACM/IFIP/USENIX 7th International Middleware Conference 2006, 
> Melbourne, Australia - November 27, 2006
>
>
> The net result is that we need a new attribute adding to the 
> obligation element in XACML. The purpose of this attribute is a 
> directive to the PEP to tell it WHEN to carry out the obligation: 
> either Before, With, or After enforcing the user's access request. In 
> most grid applications With is not appropriate since grid jobs can run 
> for hours or days. So Before or After are often the most appropriate 
> for grids (e.g when to send an email notification? before the job 
> starts or after it finishes). We have implemented a Before option in 
> GT4 with a coordination PDP that talks to an XACML PDP (more details 
> of this in the MGC paper).
>
> Here is the new schema for obligation that we propose
>
> > xs:element name="Obligation" type="xacml:ObligationType"/>
> > <xs:complexType name="ObligationType">
> > <xs:sequence>
> > <xs:element ref="xacml:AttributeAssignment" minOccurs=”0”
> > maxOccurs="unbounded"/>
> > </xs:sequence>
> > <xs:attribute name="ObligationId" type="xs:anyURI" use="required"/>
> > <xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/>
> > <xs:attribute name="Chronicle" type="xacml:ChronicleType" 
> use="optional"/>
> > </xs:complexType>
>
> The Chronicle simple type is defined as:
>
> >
> > <xs:simpleType name="ChronicleType">
> > <xs:restriction base="xs:string">
> > <xs:enumeration value="Before"/>
> > <xs:enumeration value="With"/>
> > <xs:enumeration value="After"/>
> > </xs:restriction>
> > </xs:simpleType>
>
>
>
> regards
>
> David

-- 
Anil Saldhana
JBoss Security & Identity Management
http://labs.jboss.com/portal/jbosssecurity/