The Policy Enforcement Process

The GAA-API returns three status values to describe policy enforcement process:

  1. authorization status Sa.
    Indicates whether the request is authorized (T), not authorized (GAA_S_NO) or uncertain (GAA_S_MAYBE).

  2. mid-condition enforcement status Sm.
    Indicates the evaluation status of the mid-conditions (GAA_S_YES/GAA_S_NO/GAA_S_MAYBE).

  3. post-condition enforcement status Sp.
    Indicates the evaluation status of the post-conditions (GAA_S_YES/GAA_S_NO/GAA_S_MAYBE).
Initially the status values are set to GAA_S_MAYBE. The policy enforcement process is shown in Figure 1.

The authorization mechanism evaluates the policies using the current system state. The system state is needed to evaluate authorizations that contain system variables as parameters. By a system state we mean not only information describing a particular computer system such as system load, network bandwidth consumption, number of available processors, but also all security-relevant information about real world which is representable in a computer system. For example, bank account balance, temperature and user identity.