Re: [keycloak-dev] Permission and Obligation

Pedro - if you are able to use a better term than “obligation”, then you will have success in adoption. XACML obligations are least understood and not very well used. I never liked them unfortunately. :-( Maybe “condition”,”requirement” or a better term? Ensure that these are sent from PDP to PEP. This is an important construct that has a potential to confuse users. In my view, this is a hack in the enforcement model that xacml tries to solve. *my opinion only* > On Oct 26, 2017, at 3:08 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > > Hi, > > This is about https://issues.jboss.org/browse/KEYCLOAK-5728. > > The idea is allow policies to push information to a policy enforcer (PEP) > in order to enrich the final decision if a resource can be accessed or not. > > In XACML there is a well known concept called Obligation, which can be used > to pass information to a policy enforcer in order to take some action or > verify something before granting or denying access to a resource. > > Suppose you have a JS policy and want to push obligations when evaluating a > permission: > > if (someCondition) { > var permission = $evaluation.getPermission(); > permission.addObligation('transfer.limit', '200'); > } > > On the resource server side, you will be able to obtain *transfer.limit* > and check whether a request satisfy the obligation. > > Any comments ? > > Regards. > Pedro Igor > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev