OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] RE: Context Handler


Hi Ray,

Ok, I understand, but I would say that this is a flaw in the implementation in this case. Just because the PEP provides one value for an attribute does not mean that a PIP should not be able to augment it with more values. There are many attributes which may have some values provided by a PEP and others by a PIP. For instance, a user may login with a token which has a user group, but a PIP could provide more groups from an external directory.

Best regards,
Erik


On 2011-12-19 15:24, remon.sinnema@emc.com wrote:
Erik,


-----Original Message-----
From: Erik Rissanen [mailto:erik@axiomatics.com]
Sent: Monday, December 19, 2011 2:59 PM
To: Sinnema, Remon
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] RE: Context Handler

Hi Ray,

I did not understand that. As far as I can see, when the PDP needs the
"type" attribute, it can ask a PIP to provide it. The PIP has all
attributes of the request available as key values. How is this
different
from  a REP? The available information seems to be the same in either
case. What did I not get?
In Paul's example, the ontology is such that SpecialDocument is a type of Document, so any rule matching on type=Document should also match on type=SpecialDocument.

Now assume there is a single rule that matches on type=Document, and that the PEP supplies type=SpecialDocument.

The PDP will then see the type attribute with value SpecialDocument, and will conclude it isn't applicable. Since the request contains the type attribute, there is nothing that will make the PDP ask the PIP for more information.

A REP, however, operates *before* the request is sent to the PDP and therefore doesn't suffer from the same problem. It can inspect the ontology, add type=Document based on the supplied type=SpecialDocument, and the PDP will happily match the rule.

Does that make sense?


Thanks,
Ray




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]