[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] D006 & D008
On Thursday, January 16, 2003, at 06:32 AM, Anne Anderson wrote: > The result of the <Policy> that contains the mustbepresent > missing attribute is (Indeterminate, missing-attribute), but > there is another <Policy> in the <PolicySet> that results in a > true Deny. Ah, Ok. > According to the definition of Deny-overrides, which is the > <PolicySet> combining-algorithm in th > > a) In the entire set of policies in the policy set, if any > policy evaluates to "Deny", then the result of the policy > combination SHALL be "Deny"... Ok, but we evaluate the Indeterminate before the Deny > b) if the policy evaluation results in "Indeterminate", then the > policy set SHALL evaluate to "Deny".' Ah... ok... My mistake was to add the status code from the Indeterminate result to the Deny result... getting (Deny, missing-attribute) or (Deny, processing-error) instead of (Deny, ok). Thanks for the detailed explanation! John > > This seems pretty clear to me. Applying either a) or b) results > in "Deny". > > In fact, there is no way defined by the policy-combining > "Deny-overrides" algorithm for a result of "Indeterminate" to be > returned, which was the intent of the designers of this > algorithm. Indeterminate CAN be returned from a rule that uses > the rule-combining "Deny-overrides" algorithm, but that is not > the case in these two tests. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC