OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Additional authorization data?


Preface:  I recently joined the XACML TC, and have been quietly
attending the teleconferences for a couple of months.  I've reviewed the
XACML 2.0 and 3.0 core specifications, the supplementary documents, the
current Wikis, and issues list.  I have a use case for the group to
consider.  

Use case:  We have applications acting as PEPs that need authorization
data from the PDP beyond a simple "permit" or "deny".  For example, the
PEPs may need to know why a deny decision was made.  In certain deny
decisions, attributes may not be missing, it may be that the request
doesn't meet certain criteria that the PEP should know about.
Conversely, applications may need supplemental authorization data for
permit decisions, sometimes defined as authorization codes.  The PEPs
need to be able to record the data for auditing purposes.  Furthermore,
in a federated model, one organization may provide PDP services for
another organization's PEPs.  In this case, the organization hosting the
PEPs would need to be able to log extended authorization data for its
own auditability purposes.

Would it be possible to create the following optional addition to the
<Result> set:  <AuthorizationCode>?  Other than taking a string value,
this element could be left intentionally unspecified, so that it could
be extended and used for lots of other applications.  I considered the
<Status Message> element, but since it can't be used to return data for
"OK" status decisions, that wouldn't meet our business need.  I also
considered the <Obligations> element, but sensed that the purpose of an
<Obligation> was to perform an action, rather than to simply pass data. 

Thoughts?

Thanks,
John Tolbert


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]