42 Copyright © 2012 Open Geospatial Consortium

7.3.4 Deny XACML authorization decision response with rewrite-obligations

Figure 15 illustrates the information flow in cases where the Context Handler receives a deny XACML authorization decision response with rewrite-obligations. Compared to the opaque rewriting approach introduced in the last subsection, the rewritten request is not directly forwarded to the service. Instead the subject is informed about the denial of its intended interaction through an OWS exception report. This report contains, next to the deny information, the rewritten version of the originally submitted WFS request. The subject can now choose to use the rewritten request instead of its former request, to cancel the intended interaction or can decide to define a new request from scratch. The advantage of using the rewritten request is that it represents the intersection of its once intended, but not fully permitted request and the set of authorized interactions of this subject. Hence it represents a proposal, automatically generated by the access control system that is as close as possible to the original intension and still compliant with the access control policy in place Su ect PEP PDP i ation and er XACML Autorisation Decision Request ADR XACML Autorisation Decision Response: DEN containin rewrite-obligations process o i ationsre rite o ADR modi ied ADR WFS request WS E ception Report: access denied modi ied WFS request modi ied WFS request XACML Autorisation Decision Request ADR XACML Autorisation Decision Response modi ied WFS request WFS WFS response WFS response Figure 15: Information flow in case of a deny XACML authorization decision response with rewrite- obligations Figure 15 visualizes the situation where the subject uses the proposed rewritten request and submits it to the service. For the second access control phase one can e.g. define a special subtree in the policy that checks whether the intercepted request was digitally signed by the access control system i.e. was generated by the access control system in a previous access control process and whether the time stamp associated with the signature is within a certain range. If this is the case the access control system knows without further evaluation, that the intercepted request is authorised. OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 43 The insertion of entries into the repository containing the digital signatures and the assignment of their validity period can be either realised by adding appropriate PIP- control-obligations to a deny rule element containing rewrite-obligations or implicitly through an appropriately implemented Obligation Handler. The augmentation of the ADRs by this information can happen by default, through the Context Handler or can be controlled by the policy through the XACML missing- attribute mechanism or through PIP-control-obligations.

7.3.5 Indeterminate response with missing-attribute information andor PIP-control-