OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-comment] Two comments on XACML Implementers Guide



>> > What does "a singleton bag" mean?
>> > Does it mean a bag that contains a single attribute value?
>>
>> Yes.


Because the term "singleton bag" is not used at all
in the XACML specification document,
I think the meaning should be explicitly defined
if the term is used in the XACML Implementers Guide.

>> I don't understand your point. The "applicability" test is based solely on
>> the evaluation of the target, whether it is only-one-applicable, or
>> first-applicable.


In my understanding, the applicability test for "only-one-applicable"is different from
the one for "first-applicable".

Appendix C.4 says that:
In the entire set of policies in the policy set, if no policy is considered applicable by virtue of their
targets, then the result of the policy combination algorithm SHALL be "NotApplicable". If more than
one policy is considered applicable by virtue of their targets, then the result of the policy
combination algorithm SHALL be "Indeterminate".

So I think the applicability test for "only-one-applicable" is based solely on the evaluation of the target,
and it seems to me that this is what Section 6 tries to note in the XACML Implementers Guide.

On the other hand, the applicability test for "first-applicable" is NOT based solely on
the target evaluation. For example, in case of  rule-combining,
it is based on both the target and condition.
So I don't think Section 6 in the XACML Implementers Guide is not a good note on
"first-applicable".

Appendix C.3 says that:
For a particular rule, if the target matches and the condition evaluates to "True", then the
evaluation of the policy SHALL halt and the corresponding effect of the rule SHALL be the
result of the evaluation of the policy (i.e. "Permit" or "Deny").

For a particular policy, if the target evaluates to "True" and the policy evaluates to
a determinate value of "Permit" or "Deny", then the evaluation SHALL halt and
the policy set SHALL evaluate to the effect value of that policy.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com



Polar Humenn <polar@syr.edu>

2003/04/18 22:29

       
        To:        Satoshi Hada/Japan/IBM@IBMJP
        cc:        xacml-comment@lists.oasis-open.org
        Subject:        Re: [xacml-comment] Two comments on XACML Implementers Guide

       


On Fri, 18 Apr 2003, Satoshi Hada wrote:

> Two comments on XACML Implementers Guide:
> http://www.oasis-open.org/committees/xacml/repository/xacml-implement-guide-1.1.doc
>
> >> Section4 Bags
> >> A singleton bag is NOT the same
> >> as an instance of the datatype contained in the bag.
>
> What does "a singleton bag" mean?
> Does it mean a bag that contains a single attribute value?

Yes.

> >> Section6 Combining algorithm.
> >> First-Applicable: The "applicability" test is based solely on
> >> evaluation of the Target.
>
> It seems to me that this is a description about
> Only-one-applicable (Appendix C.4)
> rather than First-applicable (Appendix C.3).

I don't understand your point. The "applicability" test is based solely on
the evaluation of the target, whether it is only-one-applicable, or
first-applicable. Are you saying that the descriptions in Section six are
merely misplaced?

Cheers,
-Polar

> Satoshi Hada
> IBM Tokyo Research Laboratory
> mailto:satoshih@jp.ibm.com


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-comment-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-comment-help@lists.oasis-open.org




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]