This is a concrete problem statement for the XACML 1.1 work item titled "
obligations in rule element".
The current XACML spec allows to specify obligations in policy element. For
example, you can specify the policy like "if the age of the requesting
subject is equal or larger than 20, then access to resource A is allowed.
If the age is between 16 to 20, then access is allowed provided the access
is audited. Otherwise, access is denied". Description 1 shows a sample
policy specification:
- Description 1;
<Policy PolicyId="P1">
<Target>resouce A</Target>
<Rule Effect="Permit">
<Condition>if age is equal or larger than 20</Condition>
</Rule>
</Policy>
<Policy PolicyId="P2">
<Target>resource A</Target>
<Rule Effect="Permit">
<Condition>if age is between 16 and 20</Condition>
</Rule>
<Obligation>audit</Obligation>
</Policy>
The problem is that we need two policies that has the same target
specification "resource A" and there are many duplication between two
policiees. If we allow obligation in <Rule>, this becomes much more concise
policy:
- Description 2:
<Policy PolicyId="P1">
<Target>resource A</Target>
<Rule Effect="Permit">
<Condition>if age is equal or larger than 20</Condition>
</Rule>
<Rule Effect="Permit">
<Condition>if age is between 16 and 20</Condition>
<Obligation>audit</Obligation>
</Rule>
</Policy>
Therefore, XACML schema should support obligation specifcation at rule
level.
Michiharu Kudo