Re: [xacml] Is authorization decision a postcondition? - John Erickson - org.oasis-open.lists.xacml

6 messages in org.oasis-open.lists.xacmlRe: [xacml] Is authorization decision...

From	Sent On	Attachments
Hal Lockhart	Nov 29, 2001 10:02 am
Hal Lockhart	Nov 29, 2001 12:45 pm
John Erickson	Nov 29, 2001 1:25 pm
Michiharu Kudoh	Nov 30, 2001 1:27 am
Tim Moses	Nov 30, 2001 5:44 am
Hal Lockhart	Nov 30, 2001 6:40 am

Subject:	Re: [xacml] Is authorization decision a postcondition?
From:	John Erickson (john...@hplb.hpl.hp.com)
Date:	Nov 29, 2001 1:25:31 pm
List:	org.oasis-open.lists.xacml

Hal wrote:

It just occurred to me that there is a substantive question related to this. Currently, a policy conflict occurs when you have 2 or more rules and they get different answers. Presumably this means how you decide to allow or not allow access. But what about the various post conditions associated with the rules? How does the PDP decide which post conditions should occur?

I think this is where we are hurt by not having a VM model for policy evaluation --- or, in another view, not having a model for the relationship between walking the tree and executing nodal behaviors (here, policies with post-conditions). In other words, the operational lifecycle of the node...

In one view, there should be a prioritization of the evaluation of policies that hook nodal operations. This is extremely important, since a post-condition could cause the short-circuiting of parsing of the sub-tree under a particular node; one would therefore want higher-priority policies to evaluate before lower priority. Also, if certain policies set attributes that affect the outcome of other policies, one would want those to be of higher priority.

Some document processing models (e.g. Multivalent Documents [Phelps]) have a notion of "before" and "after" sequencing of nodal operations, with high priority behaviors having the "first and last words."

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets