RE: [xacml] RE: Context Handler

[<remon.sinnema@emc.com>]

Erik,


> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Monday, December 19, 2011 2:59 PM
> To: Sinnema, Remon
> Cc: xacml@lists.oasis-open.org
> Subject: Re: [xacml] RE: Context Handler
> 
> Hi Ray,
> 
> I did not understand that. As far as I can see, when the PDP needs the
> "type" attribute, it can ask a PIP to provide it. The PIP has all
> attributes of the request available as key values. How is this
> different
> from  a REP? The available information seems to be the same in either
> case. What did I not get?

In Paul's example, the ontology is such that SpecialDocument is a type of Document, so any rule matching on type=Document should also match on type=SpecialDocument.

Now assume there is a single rule that matches on type=Document, and that the PEP supplies type=SpecialDocument.

The PDP will then see the type attribute with value SpecialDocument, and will conclude it isn't applicable. Since the request contains the type attribute, there is nothing that will make the PDP ask the PIP for more information.

A REP, however, operates *before* the request is sent to the PDP and therefore doesn't suffer from the same problem. It can inspect the ontology, add type=Document based on the supplied type=SpecialDocument, and the PDP will happily match the rule.

Does that make sense?


Thanks,
Ray