|bill parducci||Jun 11, 2001 3:54 pm|
|Simon Y. Blackwell||Jun 11, 2001 5:08 pm|
|bill parducci||Jun 11, 2001 8:24 pm|
|Polar Humenn||Jun 12, 2001 5:44 am|
|Polar Humenn||Jun 12, 2001 5:45 am|
|Simon Y. Blackwell||Jun 12, 2001 6:03 am|
|Simon Y. Blackwell||Jun 12, 2001 6:06 am|
|Polar Humenn||Jun 12, 2001 6:16 am|
|bill parducci||Jun 12, 2001 10:36 am|
|Subject:||RE: access control information (formerly... Strawman)|
|From:||Simon Y. Blackwell (sbla...@psoom.com)|
|Date:||Jun 12, 2001 6:03:29 am|
It may or may not be a bank balance. That it is even a balance is somewhat immaterial, it is just intended as a concrete example of an attribute that may be associated with a requestor, the resolution of which is required to make a policy decision regarding the use of a resource. The resource itself may also have attributes associated with it that are referenced in a policy. (What a mouthful! Which is why I try to use concrete examples!)The choice of which attributes to use within policy statements is entirely up to the entity defining the policy.
BTW, the above is what I intend and desire, it is not necessarily what will be the requirements that are established by the XACML group.
-----Original Message----- From: Polar Humenn [mailto:pol...@syr.edu] Sent: Tuesday, June 12, 2001 5:35 AM To: Simon Y. Blackwell Cc: 'bill parducci'; 'xac...@lists.oasis-open.org' Subject: RE: access control information (formerly... Strawman)
One question, are you talking about having authorization information included in credentials stating a persons particular bank balance?
On Mon, 11 Jun 2001, Simon Y. Blackwell wrote:
The problem with "insufficient funds to access" is it requires an understanding of the meaning of the constraint "balance > $5,000". (Yes, I know by policy example was not precisely in this form ...). To avoid the requirement that the policy engine actually understand the semantics of the constraint, I suppose it could return "balance < ?required-amount" which would only require programming the policy engine such that it understood the semantics of some finite set of operators. It still gets pretty ugly though.
-----Original Message----- From: bill parducci [mailto:bi...@parducci.net] Sent: Monday, June 11, 2001 3:53 PM To: 'xac...@lists.oasis-open.org' Subject: access control information (formerly... Strawman)
/* For the most part these situations can be reduced to things of the form "If you don't tell me that I need a $5,000 balance to access your services, how do I know what to do to comply?". */
good point. however, should the response be 'you need $5,000 to have access' or 'insufficient funds to access'? i know to some this may seem pedantic, but the former message provides the requestor with specific information regarding your ACL. (imagine the case of 'denied: not memeber of xyz group')
/* Once again, we should leave the decision whether or not to expose policy to the expression of the policy itself. */ ultimately, this may be the only workable solution. (although, let's shoot a couple of prisoners first and see how it goes to make sure :o)