OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Multiple obligations


> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Tuesday, June 07, 2011 3:59 PM
> To: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Multiple obligations
> All,
> I don't think combining decisions and combining obligations are
> orthogonal.
> Consider the case of the following (agreed, contrived) policy
> structure:
> PS1 ordered-permit-overrides
>    Target:
>      printing-enabled-for-user = true
>      resource-id = printing
>    P2 ordered-deny-overrides
>      R3 permit printing with obligation "invoice-printing-cost"
>      R4 deny printing if authentication-level = basic
>    P5 ordered-deny-overrides
>      R6 permit printing if staff-member = true with obligation
> "log-printing"
> Assume following request:
> Subject:
>    subject-id = alice
>    staff-member = true
>    authentication-level = basic
>    printing-enabled-for-user = true
> Resource:
>    resource-id = printing
> R3 and R4 and R6 will all apply. R3 because the basic rule is that
> anybody with printing enabled on their account can print (given that
> they are invoiced). Except that R4 denies a user who is using only
> basic
> authentication. And R6 allows staff members to print regardless of
> level
> of authentication (and for free, but we want to log the access).
> Clearly we would like to correlate obligation combining with the
> combining of the decision, so that we don't invoice the staff member,
> although one of the leaf rules matched. However the decision from that
> R3 was later overridden by another rule R4, so the _reason_ why the
> access was permitted was different than the conditions in R3, so we
> should not apply the obligations from R3, since they are relevant only
> to the situation which R3 was about.

This makes perfect sense to me.

I would phrase it as follows. Combining algorithms aren't actually *combining* decisions, as there is no way to simultaneously Permit and Deny a request. One can only chose between them. So the combining algorithms are actually really doing *conflict resolution*. From that perspective, their job is to select one Rule from the potentially multiple Rules that are applicable to the request. And then it would make sense to return the Obligations associated with that one selected Rule only.

I'm wondering, therefore, why the spec mentions "evaluating" rules as a criterion for returning obligations? What was the rationale behind that wording?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]