OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Proposal for dynamic obligation parameters

  • 1.  Proposal for dynamic obligation parameters

    Posted 11-23-2008 14:50
    All,
    
    Several XACML users (David Chadwick and John Tolbert) have presented use 
    cases which could be solved if obligations could contain an expression 
    which is evaluated by the PDP, rather than only a static attribute 
    value. I have thought about this in the past as well, but I don't 
    remember the specific use cases.
    
    And, ironically, the XACML examples in the 2.0 and current 3.0 draft 
    specs try to implement this through a kludge where the obligation 
    contains a static string which contains an XACML expression in XML form, 
    which the PEP is supposed to evaluate. This approach is not a good one 
    because it means the PEP must than contain an XACML implementation and 
    also the PEP might not have the same context handler available as the 
    PDP, so it won't have the same capability as the PDP. (This is crucial 
    for Dadid Chadwick.)
    
    I know that we have agreed on a feature freeze for 3.0, but I suggest 
    that we consider this one change before we go to CD.
    
    The change is as follows:
    
    Currently the 3.0 draft schema says this: