enforcement -> descision

OWASP / www-project-proactive-controls

OWASP Foundation Web Respository

Creative Commons Attribution Share Alike 4.0 International

129 stars 71 forks source link

enforcement -> descision #39

Closed wurstbrot closed 7 months ago

wurstbrot commented 7 months ago

From my point of view, it is a policy decisions point. The enforcement would be the location, e.g. in the java filter.

katyanton commented 7 months ago

commit has a type: Descision instead of Decision

andreashappe commented 7 months ago

Hi, I believe that "policy enforcement" is the accepted industry term, please see also https://en.wikipedia.org/wiki/Attribute-based_access_control (PEP -> "Policy Enforcement Point").

I am not sure if you are not happy with the term itself or if the term is wrongly used, could you please clarify?

Thanks, Andreas

jmanico commented 7 months ago

The policy enforcement point (PEP) is the place in the code that does the access control check. I advise to keep away from hard coding roles when it comes to policy enforcement points.

Policy decision points are how all the criteria is used to make an access control decision, the implementation that is called by the PEP.

Fair?

andreashappe commented 7 months ago

hm, let's add this as a short introduction to the document?