OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  [xacml] 7.7 Obligations

    Posted 10-07-2002 16:36
    Text for new section to be part of "Functional Requirements". 7.7 Obligations A policy or policy set may contain one or more obligations. When such a policy or policy set is evaluated, an obligation is passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the "xacml:FulfillOn" attribute of the obligation. As a consequence of this procedure, no obligations are returned to the PEP if the policies or policy sets from which they are drawn are not evaluated, or if their evaluated result is "Indeterminate" or "NotApplicable", or if the decision resulting from evaluating the policy or policy set does not match the decision resulting from evaluating an enclosing policy set. If the PDP's evaluation is viewed as a tree of policysets and policies, each of which returns "Permit" or "Deny", then the set of <obligations> returned by the PDP to the PEP will include only the obligations associated paths where the effect at each level of evaluation is the same as the effect being returned by the PDP. The PDP just collects obligations; it is not responsible for enforcing them. The PEP is responsible for enforcing obligations. If the PEP does not understand an obligation, it should deny access. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692