[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Making progress?
Hi Rich. > Unfortunately I missed the meeting this morning, however, Hal filled me in > on some details. In particular, Hal mentioned that in the Boeing > presentation that there was indicated a requirement for having Obligations > available at the Rule level, while they are currently available only at the > Policy level. To provide some context, the actual requirement was slightly different. The use-case here is being able to communicate back to a PEP why a decision (typically a Deny) was made. This is something I've heard many others ask for as well, so personally I think it's a good thing to support. The discussion turned to Obligations because this is the only mechanism we currently have to support the use-case. That is, a policy can include an Obligation that (statically) describes why a given Policy resulted in Permit or Deny. I think this is hard to work with for several reasons. The main reason we discussed is that Obligations cannot be included on Rules (or even lower), though personally I think the name "Obligation" implies something specific about what's returned that isn't really what we're trying to address here. It's also harder to work with something that can't be dynamic in its use of the Context (though Erik has suggested ways to address this). I hope that helps in terms of why we were discussing this issue.. seth