Skip to main content

Obligations and advice

Obligations and advice are additional control elements that can be attached to rules, policies, or policy sets to enforce specific actions or provide additional information in response to access control decisions. They provide a mechanism for enforcing policies beyond simple authorization decisions.

rule {
    deny
    condition not(booleanOneAndOnly(Attributes.careRelationExists))
    on permit {
         obligation ObligationAdvice.notifyPatient {
              Attributes.message = "Your record was accessed"
              Attributes.notificationRecipient = Attributes.patientId
         }
         obligation ObligationAdvice.logAccess
    }
    on deny {
        advice ObligationAdvice.reasonForDeny {
            Attributes.message = "There is no care relation"
        }
    }
}

  • Obligations

    Obligations represent mandatory actions that must be performed when a specific condition or decision is met. They are typically associated with permit decisions, ensuring that certain actions are taken when access is granted. For instance, an obligation might require logging access to a sensitive resource, providing notification to the resource owner, or updating access control records.

  • Advice

    Advice, on the other hand, represents optional suggestions or information that can be provided when a specific condition or decision is met. They are commonly associated with deny decisions, offering explanations or guidance regarding the denied access. For instance, advice might provide a reason for the denial, suggest alternative actions, or offer additional context for understanding the decision.

The on permit and on deny keywords are used to specify the context in which the obligation or advice should apply. For instance, an obligation might be triggered when access is permitted to a specific resource, while advice might be provided when access is denied to a sensitive document.

Obligations and advice are defined using the obligation and advice keywords respectively, followed by the name of the obligation or advice. This name must be associated with a previously declared obligation or advice definition. For details, read the Obligation and advice declarations section.

Attribute assignments

An obligation or advice may optionally contain attribute assignments. In the example above, the logAccess obligation lacks an attribute assignment, whereas the other obligations and advice include at least one.

Attribute assignments provide a mechanism for injecting relevant parameters into the obligations or advice, making them more personalized and actionable. The reasonForDeny advice contains a message explaining the reason for the denied access. If access had been permitted, a notification would be sent to the patient, and the obligation would include the ID of the patient to receive the notification and the message contained in the notification.