[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bob's precondition/postcondition wording
Added under Conventions as section 1.3.2
Carol
At 02:23 PM 2/23/99 -0600, you wrote:
>
>
>Carol, Konstantin, et. al.:
>
>Here's the text describing how preconditions and postconditions are to be
>interpreted in our spec.
>
>In this specification we use a "design by contract"
>precondition/postcondition semantics. This means:
>
> * An object which receives a call assumes that its preconditions are
>true at the time the call is received
> * If the preconditions are true, then:
>
> * When the object returns from the call, the postcondition will
>be true, OR
> * The object will throw an exception, indicating that it was
>unable to fulfill its contract
>
> * If ANY of the preconditions is not true, then the object's behavior
>is undefined, and, in particular, the postconditions
> are not guaranteed to be true when the object returns from the call.
>
>
>--bob
>
>Bob Blakley
>IBM Lead Security Architect
>Voice: +1 (512) 838-8133
>Fax: +1 (512) 838-0156
>Post: 11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA
>Internet: blakley@us.ibm.com
>
>
>Konstantin Beznosov <beznosov@baptisthealth.net> on 02/23/99 02:05:39 PM
>
>Please respond to Konstantin Beznosov <beznosov@baptisthealth.net>
>
>To: hrac-rfp@cs.fiu.edu
>cc: (bcc: Bob Blakley/Austin/IBM)
>Subject: exceptions
>
>
>
>
>
>//## Module: DfResourceAccessDecision
>//## Source file: S:\HRAC_submission\model\DfResourceAccessDecision.idl
>
>
>#ifndef DfResourceAccessDecision_idl
>#define DfResourceAccessDecision_idl
>
>#include "NamingAuthority.idl"
>#include "Security.idl"
>
>#pragma prefix "omg.org"
>
>// ==================================================================
>
>module DfResourceAccessDecision
>{
> interface AccessDecisionAdmin;
>
> //## BooleanList Documentation:
> // A sequence of boolean used as a return value when
> // multiple decisions are requested. This type is used
> // as a return value in the multiple_access_allowed()
> // method of the AccessDecision interface.
>
> typedef sequence<boolean> BooleanList;
>
>
> //## AttributeList Documentation:
> // The Security::AttributeList is defined as follows
> // in CORBA Security 1.2 (ptc/98-01-02). The Attribute
> // List is provided as an input parameter by the
> // "application" client when a request for an access
> // decision is made. The AttributeList used for access
> // decisions may be modified to include dynamic
> // attributes by use of the get_dynamic_attributes()
> // method of the DynamicAttributeService interface.
> // As a convenience to the reader, the structure of a
> // Security::AttributeList is replicated
> // below.
>
> typedef Security::AttributeList AttributeList;
>
>
> //## PolicyName Documentation:
> // A PolicyName is a string used to identify an access
> // policy for a secured resource. This type is only
> // used in the PolicyEvalutorAdmin interface. It is
> // used as an input parameter to the replace_policy(),
> // add_policy(), and set_default_policy() methods of
> // the PolicyEvaluatorAdmin interface. PolicyNames are
> // assigned by the administrative interface of the
> // policy engine and
> // cannot be modified or controlled by the HRAC. There
> // is one standard PolicyName of "NO_ACCESS_POLICY".
> // See the PolicyEvaluatorAdmin interface for usage.
>
> // A datum element of this type is invalid if it is
> // empty.
>
> typedef string PolicyName;
>
>
> //## PolicyNameList Documentation:
> // A PolicyNameList is a sequence of PolicyNames. It
> // is returned from the list_policy() method of the
> // PolicyEvaluatorAdmin interface.
>
> // A datum element of this type is invalid if it is
> // empty or any of its sub-elements is invalid.
>
> typedef sequence<PolicyName> PolicyNameList;
>
>
>
> const PolicyName NO_ACCESS_POLICY = "NO_ACCESS_POLICY";
>
>
> //## DecisionResult Documentation:
> // DecisionResult is an enum with three possible
> // values. This type is used as a result in access
> // decisions where access policy is applied. This is
> // the type returned from the evaluate() method of the
> // PolicyEvaluator.
>
> enum DecisionResult
> {ACCESS_DECISION_ALLOWED, ACCESS_DECISION_NOT_ALLOWED,
>ACCESS_DECISION_UNKNOWN};
>
> //## DecisionResultList Documentation:
> // DecisionResultList is a sequence of DecisionResult.
> // This is the type returned from the multiple_
> // evaluate() method of the PolicyEvaluator and is the
> // type provided as an input parameter
> // to the combine_decisions() method of the Decision
> // Combinator.
>
> typedef sequence<DecisionResult> DecisionResultList;
>
>
> //## ResourceNamingAuthority Documentation:
> // A datum element of type ResourceNamingAuthority is
> // invalid if it is empty or has syntax which is
> // invalid for type NamingAuthority::AuthorityIdStr.
>
> typedef NamingAuthority::AuthorityIdStr ResourceNamingAuthority;
>
>
> //## ResourceNameComponent Documentation:
> // A datum element of this type is invalid if either
> // name_string or value_string member is empty.
>
> struct ResourceNameComponent {
> string name_string;
> string value_string;
> };
>
> //## ResourceNameComponentList Documentation:
> // A datum element of type ResourceNameComponentList
> // is invalid if it is empty or any of its
> // sub-elements is invalid.
>
> typedef sequence<ResourceNameComponent> ResourceNameComponentList;
>
>
> //## ResourceName Documentation:
> // A ResourceName is used to identify a secured
> // resource. ResourceName is a sequence of strings
> // allowing for groupings of resources. It is required
> // that the first string in the sequence is formatted
> // as a NamingAuthority::QualifiedNameStr. This
> // ensures globally unique resource names (and/or
> // groups) See NamingAuthority module in
> // corbamed/98-02-29. Issue: Submitters are discussing
> // whether we want to make this a stronger requirement
> // by putting the type in the IDL (this is a
> // typedef for a string with a standard format in
> // NamingAuthority).
>
> // A datum of type ResourceName is invald if either
> // resource_name_authority or resource_name_component_
> // list is invalid.
>
> struct ResourceName {
> ResourceNamingAuthority resource_name_authority;
> ResourceNameComponentList resource_name_component_list;
> };
>
>
> typedef ResourceName ResourceNamePattern;
>
>
> //## Operation Documentation:
> // A datum element of this type is invalid if it is
> // empty.
>
> typedef string Operation;
>
>
> //## OperationList Documentation:
> // An OperationList is used to identify a list of
> // operations that may be performed on a secured
> // resource.
>
> typedef sequence<string> OperationList;
>
>
> //## AccessDefinition Documentation:
> // The AccessDefinition struct is provided to allow
> // multiple access definitions to be defined. It
> // contains the ResourceName and the operation name
> // for the secured resource access being requested.
> // AccessDefinition is used as an input parameter to
> // the access_allowed() method of the AccessDecision
> // interface and the evaluate() method of the Policy
> // Evaluator interface.
>
> // A datum element of this type is invalid if either
> // of its members is invalid.
>
> struct AccessDefinition {
> ResourceName resource_name;
> Operation operation_name;
> };
>
> //## AccessDefinitionList Documentation:
> // AccessDefinitionList is the type used to request
> // multiple access decisions in a single operation. It
> // is used as an input parameter to the multiple_access
> // _allowed() method of the AccessDecision interface
> // and the multiple_evaluate() method of the Policy
> // Evaluator interface.
>
> typedef sequence<AccessDefinition> AccessDefinitionList;
>
>
> //## InvalidResourceName Documentation:
> // This exception is raised when the provided resource
> // name is invalid. Please refer to the specification
> // of type ResourceName for the description of valid
> // and invalid datum elements of type ResourceName.
>
> exception InvalidResourceName {};
>
> //## InvalidAccessRequestList Documentation:
> // This exception is raised when a list of access
> // request is invalid. Please refer to the
> // specification of type AccessDefintionList for the
> // description of valid and invalid datum items of
> // this type.
>
> exception InvalidAccessRequestList {
> AccessDefinition first_invalid_element;
> };
>
> //## InvalidResourceNamePattern Documentation:
> // This exceptions is raised when a resource name
> // pattern, provided as an operation argument, has
> // invalid syntax. Please refer to specification of
> // ResourceNamePattern data type for description of
> // its valid syntax.
>
> exception InvalidResourceNamePattern {
> };
>
> //## RegisteredResourceNamePattern Documentation:
> // The specified resource name pattern is already
> // registered with this object instance. The same
> // resource name pattern can be registered only once
> // with the same object instance before it is
> // unregistered.
>
> exception RegisteredResourceNamePattern {};
>
> //## RadInternalError Documentation:
> // Access Decision object can not procede with serving
> // the request.
>
> exception RadInternalError {};
>
> //## InvalidOperationName Documentation:
> // This exception is raised when a name of operation
> // on a resource is invalid. Please refer to the
> // specification of type Operation for the description
> // of valid and invalid datum elements of type
> // Operation.
>
> exception InvalidOperationName {};
>
>
> interface DynamicAttributeService {
> //## Operation: get_dynamic_attributes
> //## Documentation:
> // This method takes the parameters provided by the
> // client of the AccessDecision object; the Attribute
> // List, the ResourceName, and the operation and
> // determines what (if any) dynamic attributes should
> // be added to the AttributeList. In addition, the
> // returned AttributeList may be modified by this
> // service. The service may add or remove Sec
> // Attributes to this list. It is the returned list of
> // SecAttributes that is used as the basis of access
> // decisions by the HRAC.
>
> // Preconditions:
> // 1. "resource_name" is valid.
> // 2. "operation" is valid.
>
> // No postconditions.
> AttributeList get_dynamic_attributes(in AttributeList attribute_list,
>in ResourceName resource_name, in Operation operation)
> raises( InvalidResourceName, InvalidOperationName );
> };
>
> //## InvalidPolicyNameList Documentation:
> // This exceptions is raised when the provided Policy
> // NameList has invalid value. Please refer to the
> // specification of PolicyNameList data type for a
> // description of valid PolicyNameList datum elements.
>
> exception InvalidPolicyNameList {
> PolicyName first_invalid_element;
> };
>
> //## NonExistingPolicy Documentation:
> // This exception is raised when a policy name, which
> // is does not exist in the context of the particular
> // instance of PolicyEvaluatorAdmin, is used in
> // administration of PolicyEvaluator object via Policy
> // EvaluatorAdmin interface operation.
>
> exception NonExistingPolicy {
> PolicyName policy_name;
> };
>
> //## PolicyEvaluatorAdmin Documentation:
> // The PolicyEvaluatorAdmin interface is used to
> // associate named access policies with secured
> // resources. It is assumed that the administrative
> // tool used to create and manage access policies
> // (outside the scope of this submission) provides a
> // mechanism to allow policies to be associated with
> // "names" which are represented as PolicyName (a
> // string). This PolicyEvaluatorAdmin interface allows
> // those policies to be applied "by name" to a secured
> // resource represented by a
> // ResourceName.
> // This interface is primarily provided for the
> // application that wishes to assign a policy to a
> // newly created resource programmatically at the time
> // of resource creation. It does, however, require that
> // the application have knowledge of the named
> // policies in order to choose an appropriate policy
> // for access decisions.
>
> interface PolicyEvaluatorAdmin {
>
> //## Operation: set_policies
> //## Documentation:
> // The policy identified by PolicyName is associated
> // with the secured resource identified by the Resource
> // Name. If the PolicyName is NO_ACCESS_POLICY, then
> // all policy is removed for the resource. If a Policy
> // Name is applied to a ResourceName that has existing
> // policy, then the policy will be replaced by the
> // policy identified by this PolicyName.
>
> // Preconditions:
> // 1. "policy_names" has a valid value.
> // 2. All policy named by "policy_names" exist in this
> // policy evaluator.
> // 3. "resource_name" has a valid value.
> void set_policies(in PolicyNameList policy_names, in ResourceName
>resource_name)
> raises( InvalidResourceName, InvalidPolicyNameList,
>NonExistingPolicy );
>
> //## Operation: add_policies
> //## Documentation:
> // The policies identified by PolicyNameList is
> // associated with the secured resource identified by
> // the ResourceName. If the PolicyName is NO_ACCESS_
> // POLICY, then all policies are removed for the
> // resource.
>
> // Preconditions:
> // 1. "policy_names" has a valid value.
> // 2. All policy named by "policy_names" exist in this
> // policy evaluator.
> // 3. "resource_names" has a valid value.
>
> // Postcondition:
> // "resource_name".applied_policy_names == union
> // ("resource_name".applied_policy_names, "policy_
> // names")
> void add_policies(in PolicyNameList policy_names, in ResourceName
>resource_name)
> raises( InvalidPolicyNameList, NonExistingPolicy,
>InvalidResourceName );
>
> //## Operation: list_policies
> //## Documentation:
> // A list of all existing PolicyNames is returned to
> // the client.
>
> // No preconditions.
>
> // Postcondition:
> // return == all_existing_policy_names.
> PolicyNameList list_policies();
>
> //## Operation: set_default_policy
> //## Documentation:
> // The policy identified by PolicyName is associated
> // (as default) with any secured resource which has
> // not yet been assigned an access policy.
>
> // Preconditions:
> // 1. Policy named by "policy_name" exists in this
> // policy evaluator.
> PolicyName set_default_policy(in PolicyName policy_name)
> raises( NonExistingPolicy );
> };
>
> //## PolicyEvaluator Documentation:
> // The PolicyEvaluator interface is used to obtain an
> // access decision based on an encapsulated policy for
> // the ResourceName/operation when provided a list of
> // effective Security Attributes for the requestor.
> // This submission provides a framework for the
> // support of one or more policy evaluators for a
> // single resource.
>
> interface PolicyEvaluator {
>
> //## Association:
> //## Documentation:
> // If the PolicyEvaluator has an associated
> // administrative interface, it can be obtained via
> // this attribute. If an administrative interface is
> // not available for this evaluator, this attribute
> // will be nil.
> readonly attribute PolicyEvaluatorAdmin pe_admin;
>
> // Operations
>
> //## Operation: evaluate
> //## Documentation:
> // A single access decision is requested based on
> // access policy(s) this evaluator determines is
> // appropriate for the named resource. The decision is
> // based on the ResourceName, the operation, and the
> // effective Security Attributes. The SecAttributes
> // passed to the AccessDecision object by the client
> // in access_allowed() may have been modified by the
> // DynamicAttributeService get_dynamic_attributes()
> // method before the PolicyEvaluator is called. The
> // DecisionResult is a ternary result. The Decision
> // Result is as follows:
>
> // ACCESS_DECISION_ALLOWED: the policy evaluated for
> // this ResourceName, operation and Attribute list
> // indicates that access is ALLOWED.
>
> // ACCESS_DECISION_NOT_ALLOWED: the policy evaluated
> // for this ResourceName, operation and Attribute list
> // indicates access is NOT_ALLOWED.
>
> // ACCESS_DECISION_UNKNOWN: the policy evaluated for
> // this ResourceName, operation and Attribute list
> // indicates an access decision cannot be made.
>
> // Preconditions:
> // 1. "resource_name" is valid.
> // 2. "operation" is valid.
>
> // Post-conditions:
> // return == authorization decision for the requested
> // operation on the specified resource name by a
> // principal with the specified security attributes.
> DecisionResult evaluate(in ResourceName resource_name, in Operation
>operation, in AttributeList attribute_list)
> raises( InvalidResourceName, InvalidOperationName );
>
> };
>
>
> struct NamedPolicyEvaluator {
> string evaluator_name;
> PolicyEvaluator policy_evaluator;
> };
>
> //## PolicyEvaluatorList Documentation:
> // A PolicyEvaluatorList is a sequence of Policy
> // Evaluator object references. The PolicyEvaluator
> // Admin interface allows the association of lists of
> // PolicyEvaluators with a ResourceNamePattern. This
> // type is used as an input parameter in the add_
> // evaluators(), replace_evaluators(), and set_default_
> // evaluators() methods of this interface. See also
> // PolicyDecisionEvaluators below for additional usage.
>
> // A valid datum element of type PolicyEvaluatorList
> // is a one which:
> // 1. is not empty, and
> // 2. contains only valid sub-elements.
>
> typedef sequence<NamedPolicyEvaluator> PolicyEvaluatorList;
>
>
> //## PolicyEvalautorNameClash Documentation:
> // This exceptions is raised when a named policy
> // evaluator, provided as a part of an operation
> // argument, has the same value of its data member
> // evalautor_name but different value of its data
> // member policy_evalautor as some other named policy
> // evalautor associated or to be associated (after the
> // current operation was supposed to complete) with a
> // resource name pattern. Such a situation is called
> // here as "evalautor name clash."
>
> exception PolicyEvalautorNameClash {
> NamedPolicyEvaluator new_evaluator;
> NamedPolicyEvaluator known_evalautor;
> };
>
> //## InvalidPolicyEvaluatorList Documentation:
> // This exception is raised when a policy evalautor
> // list, passed as a part of an operation arguments,
> // is invalid. Please refer to the specification of
> // PolicyEvalautorList data type for a description of
> // valid PolicyEvalautorLis datum elements of that.
>
> exception InvalidPolicyEvaluatorList {
> //## Association:
> //## Documentation:
> // First named policy evalautor in the invalid list
> // which caused the list to be invalid. If the value
> // of this data member is nil than the list is invalid
> // not because of a particular element, but because of
> // some other reason (for example, because the list is
> // empty).
> NamedPolicyEvaluator first_invalid_element;
> };
>
> //## DecisionCombinator Documentation:
> // The DecisionCombinator interface is used to combine
> // the decisions of multiple PolicyEvaluators.
> // Combinators may be provided with different
> // behaviors. A combinator that supported an "ANY"
> // policy would return TRUE if any of PolicyEvaluators
> // returned ACCESS_DECISION_ALLOWED. A combinator that
> // supported an "ALL" policy would return TRUE only if
> // all of PolicyEvaluators returned ACCESS_DECISION_
> // ALLOWED.
> // DecisionCombinators may also be arbitrarily
> // complex(although the initial submission doesn?t
> // fully support this). A default combinator may be
> // used for all access decisions, or combinators may
> // be chosen specifically for access decisions on
> // specific secured resources. The submitters have
> // agreed that complex combinators (wishing to apply
> // precedence) may require more information than what
> // is currently passed in the DecisionResultList. It
> // is, however, still an issue of exactly what would
> // be useful in the general case as additional
> // parameters to the DecisionCombinator. This issue
> // will be addressed in the final submission.
>
> interface DecisionCombinator {
> //## Operation: combine_decisions
> //## Documentation:
> // The DecisionCombinator takes the list of evaluators
> // as well as resource name, operation and security
> // attributes and returns a boolean result. This is
> // the result that will be returned by the Access
> // Decision object to the original client of the HRAC
> // facility.
>
> // Preconditions:
> // 1. "resource_name" is valid.
> // 2. "operation" is valid.
> // 3. "policy_evaluator_list" is valid.
>
> // Postconditions.
> boolean combine_decisions(in PolicyEvaluatorList policy_evaluator_list,
>in ResourceName resource_name, in Operation operation, in AttributeList
>attribute_list)
> raises( InvalidResourceName, InvalidOperationName,
>InvalidPolicyEvaluatorList );
> };
>
> //## PolicyDecisionEvaluators Documentation:
> // The PolicyDecisionEvaluators struct contains a
> // PolicyEvaluatorList and the DecisionCombinator.
> // This is the type returned from the get_policy_
> // decision_evaluators() method of the
> // PolicyEvaluatorLocator interface. This structure
> // contains the references of all the objects that
> // must be consulted by the ADO during an access
> // decision.
>
> struct PolicyDecisionEvaluators {
> PolicyEvaluatorList policy_evaluator_list;
> DecisionCombinator decision_combinator;
> };
>
> //## NonregisteredResourceNamePattern Documentation:
> // This exceptions is raised when a resource name
> // pattern, provided as an operation argument, has not
> // been registered via operation register_resource_
> // name_pattern() on the corresponding object instance.
>
> exception NonregisteredResourceNamePattern {};
>
> //## PolicyEvaluatorLocatorAdmin Documentation:
> // The PolicyEvaluatorLocatorAdmin interface is used
> // to associate PolicyEvaluators with a ResourceName.
> // The object is also used to associate the
> // appropriate DecisionCombinator with the Resource
> // Name. This submission provides a framework for the
> // support of one or more policy evaluators for a
> // single resource.
>
> interface PolicyEvaluatorLocatorAdmin {
> //## Operation: add_evaluators
> //## Documentation:
> // A list of PolicyEvaluators is added to the list of
> // evaluators for the named resource. These evaluators
> // will be in the list of PolicyEvaluators returned by
> // the PolicyEvaluatorLocator get_policy_decision_
> // evaluators() method. The addition of evaluators to
> // a ResourceName which previously had none results in
> // the added list of evaluators being the only
> // evaluators consulted on an access decision (system
> // default evaluators are no longer consulted unless a
> // system default evaluator is a member of the added
> // list).
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
> // 3. policy_evaluator_list is valid
> // 4. No element from policy_evaluator_list
> // introduces "evaluator name clash" (see
> // specification of it in the description of Policy
> // EvalautorNameClash exception).
>
> // Postconditions:
> // 1. resource_name_pattern.registered_evaluator_list
> // == union (policy_evaluator_list, resource_name_
> // pattern.registered_evaluator_list)
> void add_evaluators(in PolicyEvaluatorList policy_evaluator_list, in
>ResourceNamePattern resource_name_pattern)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern, InvalidPolicyEvaluatorList,
>PolicyEvalautorNameClash );
>
> //## Operation: set_evaluators
> //## Documentation:
> // A list of PolicyEvaluators is assigned for the
> // named resource. If the resource had existing Policy
> // Evaluators assigned, they are removed and the
> // entire list is replaced with the ones provided in
> // this method. The replacement of evaluators for a
> // resource which previously had none results in the
> // added list of evaluators being the only evaluators
> // consulted on an access decision (system default
> // evaluators are no longer consulted unless a system
> // default evaluator is a member of the replacement
> // list).
>
> // These evaluators will be the PolicyEvaluators
> // returned by the PolicyEvaluatorLocator get_policy_
> // decision_evaluators() method.
>
> // Preconditions.
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
> // 3. No element from policy_evaluator_list
> // introduces "evaluator name clash" (see
> // specification of it in the description of Policy
> // EvalautorNameClash exception).
>
> // Postconditions:
> // resource_name_pattern.registered_evaluator_list
> // == policy_evaluator_list
> void set_evaluators(in PolicyEvaluatorList policy_evaluator_list, in
>ResourceName resource_name)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern, PolicyEvalautorNameClash );
>
> //## Operation: set_default_evaluators
> //## Documentation:
> // The list of PolicyEvaluators provided is set as the
> // default evaluators for any ResourceName for which
> // PolicyEvaluators have not been explicitly assigned.
> // Default evaluators are overridden by the add_
> // evaluators() or replace_evaluators() methods. The
> // default evaluators will be returned by the Policy
> // EvaluatorLocator get_policy_decision_evaluators()
> // method when no PolicyEvaluators have been
> // explicitly assigned for a ResourceName.
>
> // Precondition:
> // 1. policy_evaluator_list is valid
> // 2. No element from policy_evaluator_list
> // introduces "evaluator name clash" (see
> // specification of it in the description of Policy
> // EvalautorNameClash exception).
>
> // Postcondition:
> // default_evaluators == policy_evaluator_list
> PolicyEvaluatorList set_default_evaluators(in PolicyEvaluatorList
>policy_evaluator_list)
> raises( InvalidPolicyEvaluatorList, PolicyEvalautorNameClash );
>
> //## Operation: set_combinator
> //## Documentation:
> // A DecisionCombinator is specified for the named
> // resource. This combinator will be returned by the
> // PolicyEvaluatorLocator get_policy_decision_
> // evaluators() method. The DecisionCombinator
> // provided replaces any previous combinator specified
> // for the secured resource.
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
>
> // Postcondition:
> // resource_name_pattern.combinator == decision_
> // combinator
> void set_combinator(in DecisionCombinator decision_combinator, in
>ResourceName resource_name)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern );
>
> //## Operation: set_default_combinator
> //## Documentation:
> // The DecisionCombinator provided is set as a
> // default. This combinator is now the combinator used
> // when a DecisionCombinator has not been explicitly
> // specified for a secured resource. This combinator
> // will be returned by the PolicyEvaluatorLocator get_
> // policy_decision_evaluators()
> // method for these resources
>
> // No preconditions.
>
> // Postcondition:
> // default_.combinator == decision_combinator.
> void set_default_combinator(in DecisionCombinator decision_combinator);
>
> //## Operation: delete_evaluators
> //## Documentation:
> // A list of PolicyEvaluators is deleted from the list
> // of evaluators for the named resource. These
> // evaluators will not be in the list of Policy
> // Evaluators returned by the PolicyEvaluatorLocator
> // get_policy_decision_evaluators() method. The
> // deletion of evaluators from a ResourceNameGroup
> // which were not assigned to this group results in an
> // exception raised.
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
> // 3. "policy_evaluator_list" is valid
>
> // Postconditions:
> // 1. for the "resource_name_pattern" : resource_name_
> // pattern.registered_evaluator_list = resource_name_
> // pattern.registered_evaluators - "policy_evaluator_
> // list"
> void delete_evaluators(in PolicyEvaluatorList policy_evaluator_list, in
>ResourceNamePattern resource_name_pattern)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern, InvalidPolicyEvaluatorList );
>
> //## Operation: delete_combinator
> //## Documentation:
> // A DecisionCombinator is specified for the named
> // resource. This combinator will be returned by the
> // PolicyEvaluatorLocator get_policy_decision_
> // evaluators() method. The DecisionCombinator
> // provided replaces any previous combinator specified
> // for the secured resource.
>
> // Precondition:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
>
> // Postcondition:
> // Resource names matching only "resource_name_
> // pattern" will be associated with the efault
> // combinator.
> void delete_combinator(in ResourceNamePattern resource_name_pattern)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern );
>
> //## Operation: get_default_combinator
> //## Documentation:
> // The default DecisionCombinator is returned.
>
> // No preconditions.
>
> // Postcondition:
> // return == default_combinator.
> DecisionCombinator get_default_combinator();
>
> //## Operation: get_evaluators
> //## Documentation:
> // Returns evaluators for the given pattern.
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
>
> // Postconditions:
> // return == "resource_name_pattern".registered_
> // evalautor_list
> PolicyEvaluatorList get_evaluators(in ResourceNamePattern
>resource_name_pattern)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern );
>
> //## Operation: get_combinator
> //## Documentation:
> // Returns decision combinator for the given pattern.
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // instance of PolicyEvaluatorLocatorAdmin.
>
> // Postconditions:
> // return == "resource_name_pattern".registered_
> // decision_combinator
> DecisionCombinator get_combinator(in ResourceNamePattern pattern)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern );
>
> //## Operation: register_resource_name_pattern
> //## Documentation:
>
> // Registers a resource name pattern with the instance
> // of a policy evaluator.
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is not registered yet.
>
> // Postconditions:
> // 1. "resource_name_pattern" is registered.
> void register_resource_name_pattern(in ResourceNamePattern pattern)
> raises( InvalidResourceNamePattern, RegisteredResourceNamePattern
>);
>
> //## Operation: unregister_resource_name_pattern
> //## Documentation:
> // Unregisteres a resource name pattern with the
> // instance of a policy evaluator.
>
> // Preconditions:
> // 1. "resource_name_pattern" is valid.
> // 2. "resource_name_pattern" is registered with this
> // object instance.
>
> // Postconditions:
> // 1. "resource_name_pattern" is unregistered.
> void unregister_resource_name_pattern(in ResourceNamePattern
>resoource_name_pattern)
> raises( InvalidResourceNamePattern,
>NonregisteredResourceNamePattern );
> };
>
> //## PolicyEvaluatorLocator Documentation:
> // The PolicyEvaluatorLocator interface is used to
> // locate the PolicyEvaluators and the Decision
> // Combinator associated with a ResourceName. This
> // submission provides a framework for the support of
> // one or more policy evaluators for a single resource.
>
> interface PolicyEvaluatorLocator {
> readonly attribute PolicyEvaluatorLocatorAdmin pel_admin;
>
> // Operations
>
> //## Operation: get_policy_decision_evaluators
> //## Documentation:
> // A PolicyDecisionEvaluators structure which contains
> // a list of PolicyEvaluator object references and the
> // DecisionCombinator object reference for the
> // resource is returned to the client.
>
> // Preconditions:
> // 1. "resource_name" is valid.
>
> // Postconditions:
> // The returned references are not null.
>
> // Note: If the references turn out to be invalid,
> // there has to be a way to configure the ADO via its
> // admin interface to handle such situations according
> // to the enterprise policies.
> PolicyDecisionEvaluators get_policy_decision_evaluators(in ResourceName
>resource_name)
> raises( InvalidResourceName );
> };
>
> //## AccessDecision Documentation:
> // The Access Decision object is used to request
> // decisions on access based on a ResourceName, an
> // Operation, and a list of SecAttributes. This
> // submission provides a framework for the support of
> // many policy evaluators. It is out of the scope of
> // this submission to mandate how policy is defined or
> // evaluated using the information provided by the
> // client at the time access decisions are requested.
> // This is the only interface that is necessary for a
> // client to be familiar with in order to obtain
> // access decisions from the HRAC.
>
> interface AccessDecision {
> attribute AccessDecisionAdmin admin;
>
> // Operations
>
> //## Operation: access_allowed
> //## Documentation:
> // A single access decision is requested and the
> // result is returned as a boolean.
>
> // Preconditions:
> // 1. "resource_name" is valid.
> // 2. "operation" is valid.
>
> // Postconditions:
> // return == authorization decision for the requested
> // operation on the specified resource name by a
> // principal with the specified security attributes.
> boolean access_allowed(in ResourceName resource_name, in Operation
>operation, in AttributeList attribute_list)
> raises( InvalidResourceName, InvalidOperationName, RadInternalError
>);
>
> //## Operation: multiple_access_allowed
> //## Documentation:
> // Multiple access decisions are requested in a single
> // method invocation and a sequence of booleans are
> // returned. The boolean sequence maps one to one in
> // the same order to the provided sequence of Resource
> // Name/operation pairs.
>
> // Preconditions:
> // 1. All elements of "access_request" are valid
>
> // Postconditions:
> // 1. The length of the returned list is the same as
> // of "access_requests" list.
> // 1. Each element of the returned list is an
> // authorization decision for the corresponding
> // request in the "access_requests" list. I.e. first
> // element of the returned list is an authorization
> // decision for the first element of
> // access_request", and so on.
> BooleanList multiple_access_allowed(in AccessDefinitionList
>access_requests, in AttributeList attribute_list)
> raises( InvalidAccessRequestList );
> };
>
> //## AccessDecisionAdmin Documentation:
> // Administration interface for AccessDecision
>
> interface AccessDecisionAdmin {
> attribute DynamicAttributeService dynamic_attribute_service;
> attribute PolicyEvaluatorLocator policy_evaluator_locator;
> };
>
>};
>
>#endif
>
>
>
>
>----------------
>Broadcast message to hrac-rfp from blakley@us.ibm.com.
>Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.
>
_________________________________________________________
Carol Burt 2AB, Inc.
cburt@2ab.com Integration Architects
205-621-7455 www.2ab.com
Member, OMG Architecture Board OMG Domain Member
-- integrating yesterday's systems with today's technology --
----------------
Broadcast message to hrac-rfp from Carol Burt <cburt@2ab.com>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.