Re: [xacml-comment] no rules or policies

[Polar Humenn <polar@syr.edu>]

I agree on this. But this whole section doesn't really make sense to me at
all. Neither do the tables. What is trying to be said here?  Furthermore,
these sections are riddled with mistakes like Not "Match" instead of
"No-match" and "None-applicable" instead of "Not-applicable".

These sections should say nothing more than the policy body is evaluated
according to its rule combining algorithm and the evaluation of its rules,
which is specified elsewhere.  The "truth" tables are wrong according to
any kind of policy combining algorithm. All of the combining algorithms
handle the case when there are no rules or policies.

So, I suggest the following rewording of both sections and remove the
tables.

7.6 Policy Evaluation

The value of a policy SHALL be determined only by its contents against the
access decision request. A policy's value SHALL be determined by the
evaluation of the policy's target and the evaluation of its rules
according to the specified rule combining algorithm.

The policy's target is evaluated to determine the applicability of the
policy. If the target evaluates to "Match" then value of the policy SHALL
be determined by evaluation of the policy's rules according to the
specified combining algorithm. If the target evaluates to "No-Match", then
the value of the policy shall be "Not-Applicable". If evaluation of the
target raises an "Indeterminate" the value of the policy SHALL be
"Indeterminate".

7.6 Policy Set Evaluation

The value of a policy set SHALL be determined by its contents against the
access decision request. A policy set's value is determined by the
evaluation of the policy set's target and the evaluation of its policies
and policy sets according to the specified policy combining algorithm.

The policy set's target is evaluated to determine the applicability of the
policy set. If the target evaluates to "Match" then value of the policy
set SHALL be determined by evaluation of the policy's policies and policy
sets according to the specified policy combining algorithm.  If the target
evaluates to "No-Match", then the value of the policy set shall be
"Not-Applicable". If evaluation of the target raises an "Indeterminate"
the value of the policy set SHALL be "Indeterminate".


Cheers,
-Polar

On Wed, 27 Nov 2002, Seth Proctor wrote:

>
> Sections 7.6 and 7.7 contain, respectively, the only text in the spec that
> says what to do when a Policy has no Rules or a PolicySet has no policies.
> Unfortunately, the language is a little muddled (and looks like it might be
> left over from a previous version). Section 7.6 says
>
>   "A Rules value of 'At-least-one-applicable' SHALL be used if the <Rule>
>    element is absent..."
>
> Section 7.7 says
>
>   "A policies value of 'At-least-one-applicable' SHALL be used if there are
>    no contained or referenced policies or policy sets..."
>
> Is this supposed to imply that if the rule/policy[set] is missing, then the
> result should always be the result of the at-least-one-applicable combining
> algorithm, ie NotApplicable? If that's the case, I'd like to request that the
> text be clarified so that it's more obvious (since the above text doesn't
> really mean anything). If that's not the case, these sections need to be
> expanded to explain what to return in these conditions.
>
> As a side note, I don't really understand what the value is of having a Policy
> with no Rule, since it will always return the same thing (probably N/A), so
> why bother going through the effort of evaluating it? In other words, what
> is the reason for the schema defining PolicyType to have
>
>   <xs:element ref="xacml:Rule" minOccurs="0" ...
>
>
> seth
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>