[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: [EXTERNAL] [xacml] Default behavior for unrecognized resource attributes?
Martin, Regarding point 3, what I mean is that the PDP does not know that the DoD attribute is more important than the override. An unrecognized attribute may or may supersede the decisions of a policy which was not authored with the attribute in mind. Let's say that there are two attribute which are not used by the PDP for making a decision: "DoD" and "Family relation". For the sake of example, let us say that regulations state that in case of emergency a doctor may not see DoD records, but may access data about family members. If emergency override happens, and neither attribute is used in the making of a decision, then the PDP really cannot tell whether this is because the attribute is not relevant in this situation, or that the policies are wrong. In this case the policies would be wrong about the DoD attribute, but it would be correct to not use the Family relation attribute. The current XACML spec simply assumes that you are operating with the correct policies. What you are looking for is some extra information to detect some cases where a mistake has been made in the deployment and the policies are not correct. You do need extra information because the fact that an attribute is not used is not an error in general, though it might be an error in some cases. Best regards, Erik On 2016-01-04 20:26, Martin Smith
wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]