(Note -- not sure I am able to post to this list, so specified
addressees may be the only ones receiving.)
It is of great interest to us (DHS) to be able to answer the question of
why access was granted (or not) to a resource. However, I wonder if it
might be useful to distinguish between the detailed analysis of which
particular rules led to a decision, vs. recording the assertion by a PDP
that a defined policy set was applied, e.g.,
homelandSecurityPolicySetv2008-08-01. Analysis of the efficiency or
effectiveness or accuracy or whatever of the policy set could be done as
a separate "design-time" process, during which the particular rule or
rules that did or didn't fire could be examined, modeled, etc. I would
see this approach as being analogous to other "standards profile"
strategies, where it is desirable to be able to confirm that the current
required profile is implemented, without having to worry with the
details of the profile.
Martin
Martin F Smith
Chief, National Security Systems Branch
DHS Office of Intelligence and Analysis
NAC 19-410
(202) 447-3743 desk
(202) 441-9731 mobile
(800) 417-6930 pager
Original Message-----
From: xacml-return-839-martin.smith=dhs.gov@lists.oasis-open.org
[mailto:xacml-return-839-martin.smith=dhs.gov@lists.oasis-open.org] On
Behalf Of Craig Forster
Sent: Wednesday, August 13, 2008 9:34 PM
To: sampo@symlabs.com
Cc: hal.lockhart@oracle.com; xacml@lists.oasis-open.org
Subject: Re: [xacml] Proposed functional enhancement - Optional return
of policy ids of policies applicable to request
Hi Sampo and Hal,
This information (which PolicySet, Policy and Rules were applicable)
closely relates to audit requirements around why a certain response was
given. An approach we could take would be to define a set of audit
obligations that return this information.
Using audit obligations would allow XACML 2.0 to have this feature as
well.
However, the requesting of this information wouldn't be per-request, it
would be enabled for the entire PDP.
Regards,
Craig
---------------------------------------------------------------
Craig Forster
Software Engineer
IBM Australia Development Labs
---------------------------------------------------------------
From: sampo@symlabs.com
To: "hal.lockhart@oracle.com"