On Dec 18, 2008, at 11:56 PM, Erik Rissanen wrote:
> 2. Should it be possible to have this apply to NotApplicable as
> well, not just Permit/Deny?
>
> I am asking since a customer of mine wanted to use obligations on
> NotApplicable to return a reason for why access was not allowed.
>
> I haven't thought it through properly yet, but it seems like a good
> idea. Typically I would expect policies to list stuff that is
> allowed, with perhaps some exceptions which deny. In general it's a
> good principle for security design to "enumerate goodness", rather
> than to try to list everything which is bad/dangerous. If one does
> so, if a policy does not match, it would be NotApplicable, not
> Deny, so it would not be possible to return advice about what did
> not match. If we don't allow advice on NotApplicable, then policy
> writers need to refactor their policies to return Deny instead of
> NotApplicable when they do not match.
Does this mean that all Policies not applicable to a decision would
return an Obligation? Taken one step further with the TC's current
decision re: Obligations, that all Rules that are not applicable will
return Obligations?
Also, NotApplicable and "not allowed" are not explicitly correlated,
since the latter is defined as a "Deny", so I am not sure I understand
the use case fully. Are they looking for the logic behind each
decision to be passed to the PEP? (Which could be unwieldy if the
answer to my first question is yes :)
thanks
b