OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Obligations in Rules?

Yes I think it is a good idea


Erik Rissanen wrote:
> All,
> Do we want obligations in rules? I think we should and if the general 
> opinion is that this is a good idea, could you let me know and I could 
> post a working draft with this change so review is quicker?
> In short this change means that the Rule schema would be changed to this:
>    <xs:element name="Rule" type="xacml:RuleType"/>
>    <xs:complexType name="RuleType">
>        <xs:sequence>
>            <xs:element ref="xacml:Description" minOccurs="0"/>
>            <xs:element ref="xacml:Target" minOccurs="0"/>
>            <xs:element ref="xacml:Condition" minOccurs="0"/>
>            <xs:element ref="xacml:ObligationExpressions" minOccurs="0"/>
>        </xs:sequence>
>        <xs:attribute name="RuleId" type="xs:string" use="required"/>
>        <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
>    </xs:complexType>
> Note the new line "ObligationExpressions". (It's obligation expressions, 
> not obligations only because of the dynamic obligations change we made 
> last time.)
> The semantics are the same as for obligations in policies, that is, if 
> the rule evaluates to a decision with a matching FullfilOn the 
> obligations are included in the result of that Rule.
> Note that since a rule has a fixed Effect, either Permit or Deny, it 
> doesn't make sense to specify an obligation with the other decision in 
> the FullfilOn, but I don't think we should define a different schema 
> construct just for the obligation in the rule.
> The benefit of all this is that if someone has a condition at the rule 
> level which he would like to associate with an obligation, then it would 
> not be necessary to wrap the rule inside a policy just to contain the 
> obligation.
> Best regards,
> Erik
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]