[keycloak-dev] Permission and Obligation
Anil Saldanha
asaldanha1947 at gmail.com
Fri Oct 27 09:28:30 EDT 2017
Pedro - if you are able to use a better term than “obligation”, then you will have success in adoption.
XACML obligations are least understood and not very well used. I never liked them unfortunately. :-(
Maybe “condition”,”requirement” or a better term?
Ensure that these are sent from PDP to PEP.
This is an important construct that has a potential to confuse users. In my view, this is a hack in the enforcement model that xacml tries to solve. *my opinion only*
> On Oct 26, 2017, at 3:08 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
>
> Hi,
>
> This is about https://issues.jboss.org/browse/KEYCLOAK-5728.
>
> The idea is allow policies to push information to a policy enforcer (PEP)
> in order to enrich the final decision if a resource can be accessed or not.
>
> In XACML there is a well known concept called Obligation, which can be used
> to pass information to a policy enforcer in order to take some action or
> verify something before granting or denying access to a resource.
>
> Suppose you have a JS policy and want to push obligations when evaluating a
> permission:
>
> if (someCondition) {
> var permission = $evaluation.getPermission();
> permission.addObligation('transfer.limit', '200');
> }
>
> On the resource server side, you will be able to obtain *transfer.limit*
> and check whether a request satisfy the obligation.
>
> Any comments ?
>
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list