OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Issues Relating to Obligations

Hi Mohammed

I would say that if the policy is permit overrides, then a permit with no obligations (e.g. from Alice) should not require the obligations of a second permit (e.g. from Bob) to be executed. So this would not produce the result you want.

On the other hand if the policy is deny overrides, then Bob can decide to either forbid all access, or grant access with his obligation. In the latter case his obligation will be executed if Alice grants access with no obligations.

So Erik would appear to be correct



On 08/03/2013 03:28, Mohammad Jafari wrote:
 > 3. Another issue I am trying to remember is the question that current
combining methods allow applicable policies and rules to be skipped if
the value of the Effect can be determined without them. This means that
some Obligations in applicable policies may not be discovered. This was
debated extensively in the old days. (I am and was firmly in the
optimized evaluation camp.) My recollection of the final resolution was
that thru the proper choice of combining methods, it is possible to
force all policies to be evaluated. Does anyone know if this is true?
Bill or anybody else do you remember this debate and its outcome?

Yes, you can use combining algorithms to do this. If you have a policies
with obligations for a permit decision for instance, you can use a
deny-overrides algorithm to collect them all, since this will continue
processing all policies even if it finds a permit decision. Conversely
you can collect deny obligations with a permit-overrides.

I know that this might work but I don’t think it’s a good idea.

First, what if one wants to have a /permit-overrides/ behavior for
authorization decisions but collect all applicable obligations? The
obligation- and authorization-combining behavior should be expressible
separately and independent of each other.

An example use-case: consider a record containing psychology notes
resulting from a couple counseling for Alice and Bob with doctor
Charlie. Now suppose that Alice and Bob eventually break up and Alice
wants to continue counseling with a second doctor Doris.

The overall policy is that the consent of either of the clients involved
in the counseling is enough to grant access to the notes to a second
psychologist (permit-overrides). On the other hand, Bob’s consent
includes an obligation to redact his personally identifiable information
(name and address) from the notes for any doctor other than his own
psychologist. So, we need a permit-override behavior and yet we need to
combine all the obligations.

Also, I think using the combing algorithms like that is essentially
“tricking” the PDP to process the obligations in a certain way based on
the side-effects of an authorization combining algorithm on obligations.
I think it is not desirable to rely on a implications like that and it
is better for the policy readability to rely on explicit parameters that
tell the PDP how to process obligations and authorization decisions from
the underlying elements.



Best regards,


 > Hal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]