[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Managing with XACML
it seems to me that the state issue only applies to asynchronous decision parameters (something that has caused much discussion with obligations! ;o). i am not suggesting that this be discounted but that i believe there is value in synchronous decision conditions. for example a request to read a resource of www.foo.com with a decision of permit and the condition that access 10.1.1.1 be allowed (vs. an obligation of 'email admin') has a number of applications. FWIW: i think that philosophically we actually have started to address this issue with our handling of hierarchical resources: 'can i access foo.xml? yes, node1, node3, node5...)' b Anne Anderson wrote: > Tim, > > I read over your paper, and find it interesting - it is pretty > much what I have described to people as a "hack" if they want to > do this type of thing with XACML. > > A component your paper does not describe is "state": ECA policies > often seem to use "state". Part of the solution is simple: the > Management Profile or Extension could require that the PDP return > an Attribute containing the new state among the Obligations, and > could require that the PEP pass in the most recently returned > state Attribute with the next request. One issue, however, is > that, since Rules in multiple policies may be triggered, more > than one "state" Attribute might be returned: how could this be > managed theoretically and practically? Another issue with state > is what the state is associated with: is it a session that is > maintained by the PEP, or is it an overall state maintained by > the PDP? > > While I think this would be useful work, I doubt I would have > much time to devote to it. If my role was merely to comment on a > specification developed by someone else, I would be happy to do > that. There may be other people at Sun who would be interested > in this, however, so I will ask around. > > I want to have someone here who deals more with ECA policies to > look it over and comment on other issues that might need to be > considered. > > Anne
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]