XACML Obligations

血红的双手。 提交于 2019-12-13 13:16:28

问题


How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP

Thanks

---EDIT--- Example from the author's comment:

<ObligationExpressions>
    <ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="w3.org/2001/XMLSchema#string"/>
        </AttributeAssignmentExpression>
    </ObligationExpression> 
</ObligationExpressions>

回答1:


Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.

A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?

This is where obligations and advice come in handy. Here are a few examples:

  • deny Alice access to document D + obligation: email her manager, Bob, to let him know Alice tried to access document D.
  • deny Doctor House the right to view medical record + obligation: tell Doctor House he can "break the glass" to access the medical record.
  • Allow Joe to view Document D but first watermark the document before returning it to Joe

In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.



来源:https://stackoverflow.com/questions/15831574/xacml-obligations

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!