OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

[xacml] Alternative to Michiharu's proposal.

  • 1.  [xacml] Alternative to Michiharu's proposal.

    Posted 10-09-2002 17:14 
     MHonArc v2.5.2 -->

















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    







    Subject: [xacml] Alternative to Michiharu's proposal.
    







    



    

Okay, I have an alternative to Michiharu's proposal. Can all live with it?
I don't know. But this approach doesn't have any holes, and multiple
PEP-PDP configurations are too complex for this specification without a
specification on how to configure such things.

The one thing on Michiharu's proposal, is that a PEP "MAY" grant access if
a PDP returned "Permit". So, even if you had a one-to-one PEP to PDP
relationship then due to the wording the PEP can deny access at random or
whim on any "Permit" response.

So, let's see if this use profile works:


7.1 Use Profile for XACML Request

This section describes the use profile for using an XACML PDP in an
application environment. This use profile covers the a single PEP
configured with a single PDP. Multiple PEP to PDP configurations outside
the scope of this specification.

An application functions in the role of the PEP if it guards access to a
particular resource and asks the PDP for an access decision. The PEP that
asks the PDP for an access decision SHALL abide by the result of that
access decision in the following way:

A PEP SHALL allow access to the particular resource ONLY IF a valid XACML
response of "Permit" is returned by the PDP. The PEP SHALL deny access to
the particular resource in all other cases. An XACML response of "Permit"
SHALL be considered valid ONLY IF the PEP understands all of the
obligations that may be contained in the response.

A PEP that receives a valid XACML response of "Permit" with obligations
SHALL be responsible for fulfilling all of those obligations. A PEP that
receives a XACML response of "Deny" with obligations SHALL be responsible
for fulfilling all of the obligations that it understands.

----

Is this workable? It also covers the case when you have Indeterminate and
Not-Applicable at the highest level. And I think this gets what Bill has
been after since before I can remember. :)

Just lets consider the multiple PEP-PDPs configurations too complex for
now. That can be the subject of another spec.

Cheers,
-Polar


    





    







    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    
  

    


    







    Powered by eList eXpress LLC


Related Content