Bill, could you explain your problem? Sometimes a PEP does not want to expose to the PDP all possible attribute values, but only those really needed. By having the PDP supply a list of those attributes required for a decision, the PEP can send only those. In fact, the PDP could return a structured set of attributes: "I could return a decision if you supply A, B, and C OR D and E." Another case is to support the Java Policy "getPermissions" API. In this case, the PEP supplies a partial list of attributes, and gets back a list of Permissions (resource/action pairs) that remain as the only unknown attributes after substituting the supplied attributes into all the Permit rules. So far, Java Security developers have not indicated any requirements for implementing this API, but it is a potential case. Anne "bill parducci" <
bill@parducci.net> wrote: >Date: Fri, 05 Apr 2002 15:09:34 -0800 >in a side discussion with polar it was my impresssion that this exchange >excluded responses to a PEP. is this consistent with the understganding >of others? > >i have a BIG problem with a a PDP returning anything to a PEP other than >the decision/obligation, particularly if it provides information on how >to acheive a decision. > >b > >> "Beznosov, Konstantin" wrote: >> >> I suggest to amend the text of the resolution so that the above >> fragment will read the following: > >The PDP MAY return an "authorization decision" of "indeterminate" with >an error code of "insufficient information", signifying that more >information needed. In this case, the "authorization decision" MAY list >the names of any attributes of the subject and the resource that are >needed by the PDP to refine its "authorization decision". > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <
http://lists.oasis-open.org/ob/adm.pl >