Re: [xacml] Issues Relating to Obligations

[Erik Rissanen <erik@axiomatics.com>]

Hi Hal,

See inline.

On 2013-03-07 13:01, Hal Lockhart wrote:
> I (finally) got around to providing some comments to privately Mohammad on the Obligation Profile for Healthcare. I hope that other members of the TC will find the time to take a close look at the next draft when he is able to publish it. It has raised in my mind some questions which I would like to get the TCs opinion on.
>
> If time permits, I would like to introduce these questions on the call today, at least to get people started in thinking about them.
>
> 1. Obviously Mohammad and Mike want to complete a Profile which is specific to healthcare, but I am reluctant to support an approach which might not be suitable for use with other Obligation Profiles. I would like to get this mostly right the first time and not have to redo it shortly after it is finished. Besides the Obligations family effort, I have seen work by another organization which also bears on the issue. Unfortunately I believe what I have from them is under non-disclosure (just a lawyer thing) but I will try to get at least some requirements which I will share with the TC.
>
> The biggest difference I believe between the families work and the current profile is that Families envision one set of declarations of the properties of families and different set of declarations of individual Obligations including what family they belong to.

What's your question exactly?

> 2. Can we define a complete or at least a useful subset of Obligation handling which can be handled entirely outside of the PDP? I seem to remember Bill telling me no, but I am not sure. Changing PDP functionality at this stage seems more difficult. Further, I have already heard some different proposals for changes which could occur if we were to change PDP functionality, so this approach needs to be considered carefully.

When you say obligation "handling", do you mean enforcement of 
obligations? That has to happen outside the PDP. If you are talking 
about combining and resolving conflicts among obligations, then that's a 
complex issue which I don't have an answer to. The obligation families 
profile went a bit in this direction.

In practice I would expect a deployment to be consistent through manual 
review/engineering work. I don't know of any general solution because 
obligations can literally be about anything.

> 3. Another issue I am trying to remember is the question that current combining methods allow applicable policies and rules to be skipped if the value of the Effect can be determined without them. This means that some Obligations in applicable policies may not be discovered. This was debated extensively in the old days. (I am and was firmly in the optimized evaluation camp.) My recollection of the final resolution was that thru the proper choice of combining methods, it is possible to force all policies to be evaluated. Does anyone know if this is true? Bill or anybody else do you remember this debate and its outcome?

Yes, you can use combining algorithms to do this. If you have a policies 
with obligations for a permit decision for instance, you can use a 
deny-overrides algorithm to collect them all, since this will continue 
processing all policies even if it finds a permit decision. Conversely 
you can collect deny obligations with a permit-overrides.

Best regards,
Erik


> Hal
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php