[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Obligations in Rules?
Yes I think it is a good idea David Erik Rissanen wrote: > All, > > Do we want obligations in rules? I think we should and if the general > opinion is that this is a good idea, could you let me know and I could > post a working draft with this change so review is quicker? > > In short this change means that the Rule schema would be changed to this: > > <xs:element name="Rule" type="xacml:RuleType"/> > <xs:complexType name="RuleType"> > <xs:sequence> > <xs:element ref="xacml:Description" minOccurs="0"/> > <xs:element ref="xacml:Target" minOccurs="0"/> > <xs:element ref="xacml:Condition" minOccurs="0"/> > <xs:element ref="xacml:ObligationExpressions" minOccurs="0"/> > </xs:sequence> > <xs:attribute name="RuleId" type="xs:string" use="required"/> > <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> > </xs:complexType> > > Note the new line "ObligationExpressions". (It's obligation expressions, > not obligations only because of the dynamic obligations change we made > last time.) > > The semantics are the same as for obligations in policies, that is, if > the rule evaluates to a decision with a matching FullfilOn the > obligations are included in the result of that Rule. > > Note that since a rule has a fixed Effect, either Permit or Deny, it > doesn't make sense to specify an obligation with the other decision in > the FullfilOn, but I don't think we should define a different schema > construct just for the obligation in the rule. > > The benefit of all this is that if someone has a condition at the rule > level which he would like to associate with an obligation, then it would > not be necessary to wrap the rule inside a policy just to contain the > obligation. > > Best regards, > Erik > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]