OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Re: [xacml] Obligations

    Posted 02-25-2002 10:32
    you make a good point, however, i for one am not suggesting that the PEP 
    *perform* all obligations to effect a grant. what i have proposed is 
    that the PEP must *understand* the obligations to do so. to use your 
    example this means that the PEP must know what "delete record after 60 
    days" means to allow access. to my mind, a lack of understanding on teh 
    part of the PEP is clearly an ERROR condition, and that will most 
    certainly result in a deny.
    
    b
    
    
    Polar Humenn wrote:
    > I don't like the proposal that if the PEP cannot perform all intended
    > obligations on a Permit that the access decision should be "Deny".
    > 
    > It really begs the question of the PDP knowing what the PEP can or cannot
    > fulfill in its policy evaluation, because it implies that if the
    > obligation cannot be fulfilled by the PEP, that according to the proposal,
    > it is actually really a Deny.
    > 
    > Even leaving the PDP out of it, the PEP may not know if it could fulfill
    > any operations until the PEP actually tries it. In simplist scenario, the
    > obligation may not even terminate, or may be something like "delete record
    > after 60 days" as has been pointed out.
    > 
    > I think there may solution for that problem which is illustrated in a
    > paper by Nafty Minsky. It's quite old, 1985, but might be to the point.
    > The citation is below. I'll put the approach in our context:
    > 
    > Since the PDP is asked by the PEP for a specific access request, we might
    > want the PEP (or some other entity under control of the PEP) to keep track
    > of enacted obligations and make sure that they are fulfiled.
    > 
    > Obligations have the form of a triple of (deed,deadline,saction) where the
    > semantics are to the PEP: The obligation says that the deed must be
    > fullfilled by the deadline, or else the sanction will be executed (i.e.
    > rectifying the situation). No, the sanction cannot be "deny".
    > 
    > You have to take the following philosophy:
    > 
    > Access has been granted with certain obligations and if obligations are
    > not fullfiled (by the deadline), then something is done to rectify the
    > situation, i.e. possibly: for being granted access some punishment is upon
    > you for not fullfilling the obligations.
    > 
    > This approach allows the PDP to tell the PEP what to do in the event that
    > the PEP cannot enforce the obligations to be met, within some time frame,
    > instead trying to figure out whether obligations like (delete record in 60
    > days) can be fullfiled.
    > 
    > The Citation. It is avalable off of the ACM Portal.
    > 
    > Proceedings of the 8th international conference on Software engineering
    > 1985 , London, England
    > 
    >   Ensuring integrity by adding obligations to privileges
    > 
    >   Authors
    >     Naftaly H. Minsky
    >     Abe D. Lockman
    > 
    >   Sponsors
    >     IEEE-CS : Computer Society
    >     SIGSOFT : ACM Special Interest Group on Software Engineering
    > 
    >   Publisher
    >    IEEE Computer Society Press   Los Alamitos, CA, USA
    > 
    >     Pages: 92 - 102  Proceeding-Article
    >     Year of Publication: 1985
    >     ISBN:0-8186-0620-7
    > 
    > 
    > Cheers,
    > -Polar
    > 
    > 
    > 
    > 
    > 
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >