You are hereAttribute Based Access Control / Obligations – Actions Taken Upon Policy Decision
Obligations – Actions Taken Upon Policy Decision
In addition to SPML policies being used to control access to objects, they may be used to perform actions based upon the policy outcome. These actions are called obligations. Whether an obligation’s action is executed is dependent upon the outcome of the policy and the configuration of the obligation. An obligation may be configured to execute on an outcome of Permit or Deny. Generally, if the policy containing the obligation evaluates to the specified outcome then the obligation’s action is executed. Trusted RUBIX SPML supports three obligations:
The set-field Obligation: Set the value of a row field during a row SELECT, INSERT, or UPDATE operation. During the SELECT operation the set field will be viewed by the user performing the SELECT and no change is made to the row on disk. During the INSERT and UPDATE operations the set field will be stored on disk. The field may be set from a literal value or from a calculated value, using any SPML function or attribute.
The set-error-code Obligation: Set the error code seen by the user performing an operation. This is useful for hiding the existence of an object. For instance, it allows a "does not exist" error code to be returned instead of an "access denied" error code, where the latter would reveal the existence of the object.
The audit Obligation: Write a custom audit record to the Trusted RUBIX audit trail. The audit record will always include a base set of information. It may optionally include any literal or calculated value, using any SPML function or attribute.
For more information on the Trusted RUBIX ABAC and its use of obligations, please see the Trusted RUBIX Security Policy Manager Reference Guide.