[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Groups - XACML 2.0 Interop Scenarios Version 0.10 (xacml-2.0-core-interop-draft-10-07.doc) uploaded
This is the update mentioned in the previous email. The problem with the previous version was that the PolicySet that was introduced to Scenario 2 was using the PolicySet example in xacml-core section 4.2.4.5 as a model. I suspected when I released the doc that more work needed to be done there and proceeded with that in parallel. Thanks to some generous assistance from Anne Anderson, I received guidance on how to use a Root PolicySet to initiate Policy execution. i.e. given a collection of Policies and a Request, how does the PDP know where to begin, and which Policies to include and which not. This problem is partially addressed in Scenario 2 with the addition of a Root PolicySet with the idea being that the PDP knows to begin with that. The comments preceding that Root PolicySet indicate that at this point we are really getting into vendor implementation area, where there are probably unlimited choices as to how to manage a collection of policies and optimize their evaluation. I am assuming each vendor already has their own solution to this problem and will have a means to determine that PolicySet 01 should be evaluated for a "Buy" Action on the "CustomerAccount" Resource. In addition, the original PolicySet01 had some bugs that were addressed by using PolicyIdReferences which follow the basic algorithm of Scenario 2, which follows one more time with corrections: buy-total = buy-num-shares times buy-offer-price if ( (buy-total < current-credit) and (buy-total < trade-limit) ) { return Permit (+ 3 display obligations) } else if ( (buy-total >= current-credit) and (req-credit-ext-approval = "true") ) { Permit plus obligation to approve credit } if ( (buy-total >= trade-limit) and (req-trade-approval = "true") ) { Permit plus obligation to approve trade } if ( ( (buy-total >= current-credit) and (req-credit-ext-approval = "true") ) or ( (buy-total >= trade-limit) and (req-trade-approval = "true") ) ) { return Deny plus 3 display obligations (fulfill on deny) } else { return Permit plus 3 display obligations } Note: there are 3 return points above all of which return display obligations. Also note that the Permit obligations are collected in the first 2 limit checks, but will be ignored if Deny is ultimately returned, but if Permit is ultimately returned then they are added to the 3 display obligations that get put in the Response. Note: the arithmetic is still not in the Rules for calculating the thresholds. I will provide this later in the week, or others can implement it if they have the cycles available. Primary focus now is going to turn to the Policy Exchange scenarios. -- Rich Levinson The document revision named XACML 2.0 Interop Scenarios Version 0.10 (xacml-2.0-core-interop-draft-10-07.doc) has been submitted by Rich Levinson to the OASIS eXtensible Access Control Markup Language (XACML) TC document repository. This document is revision #1 of xacml-2.0-core-interop-draft-10-06.doc. Document Description: This document is in progress and is intended to be used for XACML 2.0 Interop Event planned to be conducted at and during the Burton Catalyst Conference in San Francisco on Thursday, June 28, 2007. It is expected there will be regular updates to this doc over the next 3 weeks. View Document Details: http://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=24241 Download Document: http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/24241/xacml-2.0-core-interop-draft-10-07.doc Revision: This document is revision #1 of xacml-2.0-core-interop-draft-10-06.doc. The document details page referenced above will show the complete revision history. PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. -OASIS Open Administration
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]