[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Issue#12: Obligations: Chronicle Attribute
There is a notion of priority in the obligations under proposal. The addition of timing seems appropriate as an addition. Anne Anderson wrote: > We have received a proposal to add timing of obligation fulfilment as > a use case for our generalized Obligations work. I think this use case > is well-supported and should be incorporated into our work. I am > forwarding the proposal for those of you not on xacml-users. > > Regards, > Anne > > ------------------------------------------------------------------------ > > Subject: > [xacml-users] Chronicle Attribute > From: > David Chadwick <d.w.chadwick@kent.ac.uk> > Date: > Fri, 25 May 2007 18:23:56 +0100 > To: > xacml-users@lists.oasis-open.org > > To: > xacml-users@lists.oasis-open.org > > > Dear List > > in our recent research with Grid coordinated access control decision > making, we used obligations to update a coordination database to > record details of a users actions. The coordination database performs > the same function as the retained ADI in ISO 10181-3. In this way we > can implement applications such as ATM machine cash withdrawals over a > distributed network using multiple stateless PDPs (such as the XACML > PPD), and ensure that a user does not withdraw more than X amount per > day from whichever machine he goes to. > > We have presented two papers about this, at Policy 2006 and MGC 2006. > > David W Chadwick, Linying Su, Oleksandr Otenko, Romain Laborde. > “Coordination between Distributed PDPs”. Proc of 7th IEEE > International Workshop on Policies for Distributed Systems and > Networks, London, Ontario, 5-7June 2006 pp163-172. > > David W Chadwick, Linying Su, Romaine Laborde. “Providing Secure > Coordinated Access to Grid Services”. Proceedings of 4th International > Workshop on Middleware for Grid Computing - MGC 2006, In conjunction > with ACM/IFIP/USENIX 7th International Middleware Conference 2006, > Melbourne, Australia - November 27, 2006 > > > The net result is that we need a new attribute adding to the > obligation element in XACML. The purpose of this attribute is a > directive to the PEP to tell it WHEN to carry out the obligation: > either Before, With, or After enforcing the user's access request. In > most grid applications With is not appropriate since grid jobs can run > for hours or days. So Before or After are often the most appropriate > for grids (e.g when to send an email notification? before the job > starts or after it finishes). We have implemented a Before option in > GT4 with a coordination PDP that talks to an XACML PDP (more details > of this in the MGC paper). > > Here is the new schema for obligation that we propose > > > xs:element name="Obligation" type="xacml:ObligationType"/> > > <xs:complexType name="ObligationType"> > > <xs:sequence> > > <xs:element ref="xacml:AttributeAssignment" minOccurs=”0” > > maxOccurs="unbounded"/> > > </xs:sequence> > > <xs:attribute name="ObligationId" type="xs:anyURI" use="required"/> > > <xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/> > > <xs:attribute name="Chronicle" type="xacml:ChronicleType" > use="optional"/> > > </xs:complexType> > > The Chronicle simple type is defined as: > > > > > <xs:simpleType name="ChronicleType"> > > <xs:restriction base="xs:string"> > > <xs:enumeration value="Before"/> > > <xs:enumeration value="With"/> > > <xs:enumeration value="After"/> > > </xs:restriction> > > </xs:simpleType> > > > > regards > > David -- Anil Saldhana JBoss Security & Identity Management http://labs.jboss.com/portal/jbosssecurity/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]