OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Issues Relating to Obligations

Hi Mohammed

I am arguing for the position that if the policy rules are stated by alternative people, and one person says permit, no obligations, and the combining rule is permit overrides, then this on its own should be sufficient to gain access. It does not matter what results other rules return. If however, you want all obligations to be taken into account then you need a different combining rule such as "permit overrides but all obligations have to be effected"



On 08/03/2013 16:39, Mohammad Jafari wrote:
Hi David,

 > I would say that if the policy is permit overrides, then a permit
with no obligations (e.g. from Alice) should not require the obligations
of a second permit (e.g. from Bob) to be

 > executed. So this would not produce the result you want.

Why? “Permit-overrides” only specifies how the authorization decisions
of the underlying rules/policies are to be combined. The
obligation-combination behavior should be orthogonally configurable.

Moreover, “permit-overrides” does not specify **which** one of the
permitting rules/policies override, so, when two underlying elements
permit, how do you specify which obligation to return? For example, in a
permit-override policy, Alice’s Rule and Bob’s Rule both decide to
permit, each with different obligations, which one’s obligations must be
returned? Note that if the answer is to rely on the order of appearance
in the XML code, that just makes things more complicated (I explained

I understand how the PDP currently works, but I am trying to show it is
not enough for handling obligations. I also understand that there might
be workarounds to create the expected behavior in this or that example,
but I believe this is a general issue. My suggestion is:

-As a short-term solution, we define a profile of obligation-sensitive
combining algorithms to support this.

-As a long-term solution (maybe in the vision for XACML-4.0), we
consider supporting two separate combing functions for obligation and
authorization decisions at the PolicySet and Policy level.



 > On the other hand if the policy is deny overrides, then Bob can
decide to either forbid all access, or grant access with his obligation.
In the latter case his obligation will be executed if Alice grants
access with no obligations.


 >So Erik would appear to be correct





On 08/03/2013 03:28, Mohammad Jafari wrote:

 >  > 3. Another issue I am trying to remember is the question that

 > current combining methods allow applicable policies and rules to be

 > skipped if the value of the Effect can be determined without them.

 > This means that some Obligations in applicable policies may not be

 > discovered. This was debated extensively in the old days. (I am and

 > was firmly in the optimized evaluation camp.) My recollection of the

 > final resolution was that thru the proper choice of combining methods,

 > it is possible to force all policies to be evaluated. Does anyone
know if this is true?

 > Bill or anybody else do you remember this debate and its outcome?


 > Yes, you can use combining algorithms to do this. If you have a

 > policies with obligations for a permit decision for instance, you can

 > use a deny-overrides algorithm to collect them all, since this will

 > continue processing all policies even if it finds a permit decision.

 > Conversely you can collect deny obligations with a permit-overrides.


 > I know that this might work but I don’t think it’s a good idea.


 > First, what if one wants to have a /permit-overrides/ behavior for

 > authorization decisions but collect all applicable obligations? The

 > obligation- and authorization-combining behavior should be expressible

 > separately and independent of each other.


 > An example use-case: consider a record containing psychology notes

 > resulting from a couple counseling for Alice and Bob with doctor

 > Charlie. Now suppose that Alice and Bob eventually break up and Alice

 > wants to continue counseling with a second doctor Doris.


 > The overall policy is that the consent of either of the clients

 > involved in the counseling is enough to grant access to the notes to a

 > second psychologist (permit-overrides). On the other hand, Bob’s

 > consent includes an obligation to redact his personally identifiable

 > information (name and address) from the notes for any doctor other

 > than his own psychologist. So, we need a permit-override behavior and

 > yet we need to combine all the obligations.


 > Also, I think using the combing algorithms like that is essentially

 > “tricking” the PDP to process the obligations in a certain way based

 > on the side-effects of an authorization combining algorithm on

 > I think it is not desirable to rely on a implications like that and it

 > is better for the policy readability to rely on explicit parameters

 > that tell the PDP how to process obligations and authorization

 > decisions from the underlying elements.


 > Regards,


 > Mohammad


 > Best regards,


 > Erik


 >  > Hal


 >  >


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]