MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: obligations & error conditions
below are the changes that i think would be necessary to treat
incomprehensible obligations directives as decision:ERROR (vs.
decision:DENY). while the applied results are the same (from the
subject's point of view anway ;o), i believe that it provides the more
logical decision outcome.
b
+++
line 570:
Therefore, bilateral agreement between a PAP and the PEP that will
enforce its policies is required for correct interpretation. While the
contents of <Obligations> tags are opaque to the PDP, PEPs that conform
with v2.0 of XACML MUST understand, and be capable of discharging, all
obligations associated with a given decision if provided; failure to do
so MUST act as if the PEP returned an ERROR. <Obligations> elements are
returned to the PEP for enforcement.
line 1538:
[a478]-[a499] The <Obligations> element. Obligations are a set of
operations that MUST be performed by the PEP in conjunction with an
authorization decision. One or more obligations MAY be associated with
a “Permit” or “Deny” authorization decision.
line 1715:
The <Obligations> element contains a set of obligations that MUST be
fulfilled by the PEP in conjunction with the authorization decision. If
the PEP does not understand, or cannot fulfill, any of the obligations,
then it MUST act as if the PDP returned an ERROR for the authorization
decision value.
line 2977:
The <Result> element represents an authorization decision result for the
resource specified by the ResourceId attribute. It MAY include a set of
obligations that MUST be fulfilled by the PEP. If the PEP does not
understand or cannot fulfill an obligation, then it MUST act as if the
PDP returned an ERROR for the authorization decision value.
line 3006:
A list of obligations that MUST be fulfilled by the PEP. If the PEP
does not understand or cannot fulfill an obligation, then it MUST act as
if the PDP returned an ERROR for the authorization decision value.. See
Section 7.15 for a description of how the set of obligations to be
returned by the PDP is determined.
line 3130:
A PEP SHALL allow access to the resource only if a valid XACML response
of "Permit" is returned by the PDP. The PEP SHALL deny access to the
resource in all other cases. An XACML response of "Permit" SHALL be
considered valid only if the PEP understands and can and will fulfill
all of the obligations contained in the response. An XACML response of
“Deny” may also be accompanied by obligations. In this case, if the PEP
understands the and can fulfill the obligations it MUST deny access and
make best efforts to fulfill the obligations; otherwise the PEP MUST
treat the decision by the PDP as an ERROR.
line 3478:
A PEP that receives a valid XACML response of "Permit" with obligations
SHALL be responsible for fulfilling all of those obligations. A PEP
that receives an XACML response of "Deny" with obligations SHALL be
responsible for fulfilling all of the obligations that it understands
and is capable of fulfilling. If the PEP cannot understand the
obligations provided by the PDP it must treat the decision by the PDP as
an ERROR.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]