Re: My action items (incomplete)

[Carol Burt <cburt@2ab.com>]

text added but I'm not sure if it is in the right place.  It is added as
part of the explaination of the DecisionCombinator interface.

Also I changed the GRANT and DONT_CARE to

ACCESS_DECISION_ALLOWED and ACCESS_DECISION_UNKNOWN to match the spec
terminology.


At 04:12 PM 2/23/99 -0600, blakley@us.ibm.com wrote:
>
>
>All:
>
>Here are some of my action items:
>
>Provide the text discussion that HRAC is a subset of a reference monitor
>(RM) and thus shouls propagate exceptions
>to its clients who are the other part of the RM:
>
>The RAD AccessDecision object sometimes passes exceptions to callers
>indicating that it's encountered an internal
>error and is not able to make an access decision.  This is different from
>the behavior of many operating systems, which
>have a default-deny or a default-grant policy when an internal failure
>occurs, but don't report the failure to their callers.
>This difference arises because RAD is an access decision service, not an
>access control service.  In all cases, the
>application which calls RAD is responsible for enforcing the policy
>decision which RAD makes.  Therefore, the RAD
>client application is the right place to make the policy enforcement
>decision about what should be done when RAD is not
>able to make a policy decision.
>
>Explain in the spec why you need evaluator names for DC:
>
>DecisionCombinator objects encapsulate policy combination functions.
>Functions consisting of a global combinator
>operator are easy to implement; an example of such a policy is:
>
>     AND ((Evaluator_1 = GRANT), (Evaluator_2 = GRANT), ...)
>
>This policy can be expressed as an application of a global combinator
>("AND" in this case) to the results returned by
>ALL the PolicyEvaluator objects passed to the DecisionCombinator.
>
>The thing which makes this kind of policy easy to implement is that it's
>not necessary to know anything about the
>result returned by any specific PolicyEvaluator object, and hence the
>PolicyEvaluator objects can all be treated
>the same and can be called in any order.
>
>The disadvantages of this kind of policy are:
>
>     * They aren't very expressive (there are lots of kinds of real-world
>policies which can't be expressed
>        using only a global combinator)
>     * They are inefficient.  It's always necessary to call all the
>PolicyEvaluator objects passed to the
>        DecisionCombinator object in order to make a decision.
>
>An important goal of the DecisionCombinator design is to support complex
>policies which can be efficiently evaluated.
>A policy like the following can't be expressed using only a global
>combinator, but should be implementable as a
>DecisionCombinator object:
>
>     (Evaluator_1 result is GRANT) OR
>     ((Evaluator_2 result is GRANT) AND (Evaluator_3 result is (GRANT OR
>DON'T CARE)))
>
>Note that this policy can be short-circuit evaluated: if the
>DecisionCombinator calls Evaluator_1 and it returns GRANT as a decision
>result, then it doensn't need to call Evaluator_2 and Evaluator_3 at all.
>
>However, In order to support evaluation of this policy, the
>DecisionCombinator object needs to be able to match the PolicyEvaluator
>objects passed to it as input to the formal parameters in this expression.
>This is why the DecisionCombinator interface accepts as
>input a structure containing both a reference to a PolicyEvaluator object
>and the name of that PolicyEvaluator object; it uses the

>PolicyEvaluator name to figure out which evaluators to call in which order;
>it uses the PolicyEvaluator object's reference to call
>the object and request a decision result, and then it uses the
>PolicyEvaulator object's name again to plug the decision result into the
>policy
>combinator expression above.
>
>Define semantics of the pattern
>
><in next version of this note>
>
>Specify that we leave for implementors how a policy evaluator locator
>combines evaluators if the resource name matches more than one pattern
>
>If a name matches more than one pattern for which policy evaluators have
>been registered with the PolicyEvaluatorLocator object, the
>PolicyEvaluatorLocator will return the union (without duplicates) of the
>evaluators on the lists of all matched patterns in response to a
>get_policies request.
>
>Specify how the problem of finding out what combinator should be used in
>case a resource name matches more than one pattern
>
>If a resource name matches more than one pattern registered with a
>PolicyEvaluatorLocator object, and not all matched patterns specify the
>same DecisionCombinator object, then the PolicyEvaluatorLocator object's
>implementation will return one of the DecisionCombinator objects
>specified by the matched patterns; which of the eligible DecisionCombinator
>objects is returned is up to the implementor.
>
>--bob
>
>Bob Blakley
>IBM Lead Security Architect
>Voice: +1 (512) 838-8133
>Fax:    +1 (512) 838-0156
>Post:    11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA
>Internet: blakley@us.ibm.com
>
>
>----------------
>Broadcast message to hrac-rfp from blakley@us.ibm.com.
>Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.
> 
_________________________________________________________
Carol Burt                                             2AB, Inc.
cburt@2ab.com                                     Integration Architects
205-621-7455                                        www.2ab.com
Member, OMG Architecture Board          OMG Domain Member

   --  integrating yesterday's systems with today's technology --
----------------
Broadcast message to hrac-rfp from Carol Burt <cburt@2ab.com>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.