TEXT LOCATION: 3.1 Data-flow model, Figure 1 - Data-flow diagram TEXT CHANGE: Replace diagram with: access requester --2. access request----> PEP --13. obligations--> obligations ^ service 3. request 12. response V PDP <--4. request notification---- context handler <---8. resource--> resource content ---5. attribute queries------> ^ <--10. attributes------------ --11. response context--------> ^ ^ --9. environment--> environment attributes 6. attribute 7. attributes queries 1. policy V PAP PIP TEXT LOCATION: 3.1 Data-flow model, Steps 1-12 TEXT CHANGE: Replace text for steps as follows: 1. PAPs write policies and make them available to the PDP. 2. The access requester sends a request for access to the PEP. 3. The PEP sends the request for access to the context handler in its native request format, optionally including additional attributes of the subjects, resource and action. The context handler translates the information in the native request into a form consistent with an XACML Request Context (see Section 7.7 Use profile for XACML request). 4. The PEP notifies the PDP that a request is available for evaluation. 5. Based on its initial policy (see Section 7.1 Initial policy), the PDP issues attribute queries to the context handler based on the attributes required to evaluate the initial policy and those policies referenced from it. Attribute queries are expressed in the form of AttributeDesignators or AttributeSelectors. 6. The context handler may issue attribute queries to a PIP in order to resolve attributes not present in the native request. 7. The PIP returns the requested attributes to the context handler. 8. The context handler may optionally obtain information from the resource itself. 9. The context handler may optionally obtain information from the environment. 10. The context handler makes the requested attributes available to the PDP "as if" the requested attributes were located in a Request Context. The PDP evaluates the policy. 11. The PDP returns the response context (including its decision) to the context handler. 12. The context handler translates the response context to the native response format of the PEP. The context handler returns the response to the PEP. 13. The PEP fulfills the obligations 14. (Not shown) if access is permitted, then the PEP permits access to the resource; otherwise, it denies access. RATIONALE: Make diagram and steps consistent with respect to "notional" Request Context and how/when attributes are obtained. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692