Step-up authentication with NGAC/Policy Machine architecture
NB> This is not technical question but rather attempt to grasp the model and its natural restrictions.
I am thinking of Step-up authorization and Separation of Duty scenarios where either the same person who originated the operation should confirm the intent with MFA or another person needs to approve a sensitive operation originated by someone else.
In "traditional" ABAC, step-up or approvals might be implemented with obligations: PDP sends PEP permission grants with obligations, like MFARequired or ExtraApproveRequired. So the PEP can communicate with a user to get extra authentication proof or poll status of ExtraApproveRequired's obligation fulfilment.
If I understand correctly, in NGAC obligations are not meant to be sent to PEP, so there is no natural way to proceed with scenarios I mentioned above.
Am I right or there any way around this?
