next up previous contents
Next: 2.5 Summary and Terminology Up: 2.4 Constraint-based Policies by Previous: 2.4.3 Active Policies   Contents

2.4.4 Discussion

In comparison the authorisation policies introduced by the Imperial College, the passive policies are a superset of them, because an authorisation policy itself is a policy which specifies a constraint, the access right over the state of an object, i.e. the access of a subject to a target. This is only a special case of a passive policy where the semantics of the constraint is not limited to access rights. Passive policies may not have a subject, because they mainly describe a state space2.5.

Active policies with implementables can be considered as a different view upon obligation policies. The active policies are more focused on state transitions than the other policy approaches. Consequently, they explicitly consider postconditions as a description of the desired state after the execution of the implementables. This makes it possible to verify whether an enforcement was successful. Splitting of state transitions (i.e., adding of an intermediate state) is possible and is part of the policy refinement.

The description of the desired state and the actions to get there could be seen as a more complete description of policies, because it expresses more clearly the goal of a policy. In the case of obligation policies this information can (hopefully) be restored by the policy hierarchy.


next up previous contents
Next: 2.5 Summary and Terminology Up: 2.4 Constraint-based Policies by Previous: 2.4.3 Active Policies   Contents
Copyright Munich Network Management Team