Is it used from policy servers/stores to policy enforcement agents (or applications) to describe their policies (to be enforced)?
The SAML 2.0 Profile of XACML specifies a protocol by which a Policy Enforcement Point (PEP) may request that an XACML Policy Decision Point (PDP) determine if access is allowed under some set of conditions. It is considered undesirable for a PEP to have to be aware of the semantics of policy. There is a proposed enhancement for XACML 3.0 which would permit a PEP to supply additional policies with the request which would be combined with policies the PDP already has. • Is it used from policy administration interfaces to policy stores to read/update/commit policies? XACML 2.0 only specifies the syntax and semantics of access control policy. However, it would be completely straightforward to implement a CRUD interface based on the POSIX file system, WebDAV or something of that sort and protect it using XACML policies. For XACML 3.0, the TC is attempting something more ambitious — the ability to create polices which control what sorts of policies may be created, e.g. policy delegation.
Related Questions
- Is it used from policy servers/stores to policy enforcement agents (or applications) to describe their policies (to be enforced)?
- Is it used from policy administration interfaces to policy stores to read/update/commit policies?
- What are some local policy approaches that can be used to promote healthier corner stores?
