OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

FW: proposed XACML Domain Model + Scope

  • 1.  FW: proposed XACML Domain Model + Scope

    Posted 06-12-2001 07:59
    All members should make sure to review Gilbert's document prior to the call
    on Thursday. Here are my comments:
    
    First and foremost, thanks for producing this Gilbert!
    
    In answer to the question "Should the Policy Decision Point be in scope for
    XACML?". Yes. Although I had not initially envisioned the PDP as part of our
    scope, I think we need to make it in scope as a matter of practicality.
    Forming yet another TC seems like a bad idea and until the PDP is in scope
    for someone, the policy language won't be used. This is similar to the
    access protocol question that came up earlier.
    
    The definition of Authorization Decision Assertions: "Assertions that
    correspond to the result of an authorization decision. Such assertions must
    contain the binary result of the decision (permitted/not permitted) and may
    contain additional "advisory" information that serves to act as an
    explanation for the decision" appears inadequate. Based on examples from
    SAML and at least what I envision being produced by a PDP the authorization
    decision will include the operation that is permitted, e.g. read, write,
    provision, execute, provision, use, etc.
    
    We need a definition for Authorization Attributes before we can address the
    concern "I am disturbed about the fact that Authorization Attributes appear
    in Figure 1 but don't appear in Figure 2. Are there attributes who's schema
    are likely to closely coupled with the Authorization Policies defined within
    the security domain? Does the definition of these attributes then fall
    within the scope of XACML?"