[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] The new advice "obligation"
Erik Rissanen wrote: > All, > > During the call yesterday we decided to introduce a new "type of > obligation", perhaps called <Advice>. > > I have two things to say. > > 1. Here is a syntax which we could consider: > > <Advice AdviceId="urn:...." AppliesTo="Permit"> > <AttributeAssignment>.....</> > </Advice> > > Any other ideas for naming it? > Erik, provide some context to the naming, please. :) > 2. Should it be possible to have this apply to NotApplicable as well, > not just Permit/Deny? > > I am asking since a customer of mine wanted to use obligations on > NotApplicable to return a reason for why access was not allowed. > > I haven't thought it through properly yet, but it seems like a good > idea. Typically I would expect policies to list stuff that is allowed, > with perhaps some exceptions which deny. In general it's a good > principle for security design to "enumerate goodness", rather than to > try to list everything which is bad/dangerous. If one does so, if a > policy does not match, it would be NotApplicable, not Deny, so it > would not be possible to return advice about what did not match. If we > don't allow advice on NotApplicable, then policy writers need to > refactor their policies to return Deny instead of NotApplicable when > they do not match. > > Refactoring like that gives a fundamentally different "architecture" > for the policies. Now we will have policies which say "Deny" on things > they do not apply to, and policies which apply say "Permit". This > forces the user to use a permit-overrides algorithm, which further > limits how policies can be structured. Essentially the policy writer > is forced to work with Permit/Deny only, and NotApplicable is not > something he can use in his policies. Essentially, you are sending a debug info back via the obligation? You missed these attributes in your request for your receipt of NA. -- -------------------------------------- Anil Saldhana Leader, JBoss Security & Identity Management Red Hat Inc URL: http://jboss.org/jbosssecurity BLOG: http://anil-identity.blogspot.com ---------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]