XACML 义务 [英] XACML Obligations

问题描述

我们如何在 XACML 中使用义务?任何参考都会有所帮助场景是义务应该引用 PIP 并将结果返回给 PEP

How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP

谢谢

<ObligationExpressions>
    <ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="w3.org/2001/XMLSchema#string"/>
        </AttributeAssignmentExpression>
    </ObligationExpression> 
</ObligationExpressions>

推荐答案

XACML 中的义务(以及 XACML 3.0 中引入的 Advice)用于丰富授权流程.

Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.

典型的 XACML 响应仅包含一个决定(允许、拒绝、不适用或不确定).但是，如果您想告诉用户访问被拒绝的原因怎么办?如果您想实现打破玻璃"场景怎么办?

A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?

这是义务和建议派上用场的地方.以下是一些示例:

This is where obligations and advice come in handy. Here are a few examples:

• 拒绝 Alice 访问文档 D + 义务:给她的经理 Bob 发送电子邮件，让他知道 Alice 试图访问文档 D.
• 拒绝House Doctor 查看病历的权利+义务:告诉Doctor House 他可以打破玻璃"访问病历.
• 允许 Joe 查看文档 D，但在将其返回给 Joe 之前先对文档添加水印

在 XACML 3.0 中，义务和建议可以包含可变部分，例如 - 在上面的示例中 - 经理的电子邮件.这些部分可以从 PIP 中检索.

In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.

这篇关于XACML 义务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！