9 messages in org.oasis-open.lists.xacmlRe: access control information (forme...| From | Sent On | Attachments |
|---|---|---|
| bill parducci | Jun 11, 2001 3:54 pm | |
| Simon Y. Blackwell | Jun 11, 2001 5:08 pm | |
| bill parducci | Jun 11, 2001 8:24 pm | |
| Polar Humenn | Jun 12, 2001 5:44 am | |
| Polar Humenn | Jun 12, 2001 5:45 am | |
| Simon Y. Blackwell | Jun 12, 2001 6:03 am | |
| Simon Y. Blackwell | Jun 12, 2001 6:06 am | |
| Polar Humenn | Jun 12, 2001 6:16 am | |
| bill parducci | Jun 12, 2001 10:36 am |
| Subject: | Re: access control information (formerly... Strawman) | |
|---|---|---|
| From: | Polar Humenn (pol...@syr.edu) | |
| Date: | Jun 12, 2001 5:45:58 am | |
| List: | org.oasis-open.lists.xacml | |
You could go for a strictly logical approach, i.e. Prolog like Horn Clauses. Then you have a semantics. You just have to standardize the primative predicates.
-Polar
On Mon, 11 Jun 2001, bill parducci wrote:
"Simon Y. Blackwell" wrote:
The problem with "insufficient funds to access" is it requires an understanding of the meaning of the constraint "balance > $5,000". (Yes, I know by policy example was not precisely in this form ...). To avoid the requirement that the policy engine actually understand the semantics of the constraint, I suppose it could return "balance < ?required-amount" which would only require programming the policy engine such that it understood the semantics of some finite set of operators. It still gets pretty ugly though.
ugly indeed. no matter which way you take this there are issues of 'ugliness'. on one hand you are faced with developing a library of discrete responses that could be virtually limitless in number if they are to provide usable information to all known test cases. on the other hand, as you point out, application specific responses are likely to require some sort of out-of-band (predefined) understanding of semantics, etc. to react properly to the message (otherwise you are no better off receiving a detailed response vs. 'no. go away'.)
perhaps the middle ground is the development of some generalized semantics based upon the content of the request.
<winging it/> suppose a doc had <balance> as a field, your response above would be a valid message ("balance < ?required-amount"). in other words, responses would be based upon some generic expressions (<, >, <>, =, +/-, etc.) and are limited to those fields presented in the request itself. of course a document could be submitted that is missing necessary information, in which case you would be stuck responding with 'all necessary information not present' or some such, but as mentioned above, it is hard to think of a scenario whereby a valid requestor can be totally ignorant of the recipient's requirements and still be able to act in any meaningful way to the response codes reagardless of their content.
b