问题
How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP
Thanks
---EDIT--- Example from the author's comment:
<ObligationExpressions>
<ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="w3.org/2001/XMLSchema#string"/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
回答1:
Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.
A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?
This is where obligations and advice come in handy. Here are a few examples:
- deny Alice access to document D + obligation: email her manager, Bob, to let him know Alice tried to access document D.
- deny Doctor House the right to view medical record + obligation: tell Doctor House he can "break the glass" to access the medical record.
- Allow Joe to view Document D but first watermark the document before returning it to Joe
In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.
来源:https://stackoverflow.com/questions/15831574/xacml-obligations