OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] Handling NotApplicable


On Mon, Oct 04, 2004 at 05:14:01PM -0400, Kuketayev, Argyn wrote:
> How do you handle NotApplicable?
> [...] 
> What to do with NotApplicable decision? I decided that it's bad thing
to
> have this, because in my case it indicates that policy wasn't found or
> something more serious. So, I log this as an error or alert. Unlike,
> "Deny" this should be dealt with.

This is a good question. In my opinion, there are three reasons why you
might
see a response of NotApplicable:

  1. The PDP you queried doesn't have a policy covering the request, but
     there are multiple PDPs that can be queried

  2. The PDP you queried doesn't have a policy covering the request,
because
     in your policies you're only explicit about a sub-set of possible
     actions, and all others are implicitly Deny cases

  3. The PDP you queried doesn't have a policy covering the request, but
it's
     supposed to produce a real answer

The first case seems pretty straight-forward. You try one source, and if
it
says NotApplicable you try others, until you get an answer or you
exhaust
your sources (then see 2 and 3). I'm calling this case out for full
discolsure
only, since I doubt you care about this in your system.

The second case is probably the most common one. You've only written
rules to
handle a set of specific actions, but you haven't bothered cover all the
corner cases. Here, you're implicitly covering all NotApplicable
decisions by
saying they should appear to the PEP the same as Deny. If this is what
you're
doing, then I think it's fine to take the same action on a Deny and on a
NotApplicable, since to the PEP and the application-specific logic it's
the
same case.

The third case is what makes this a little more tricky. If you have a
PDP
that's supposed to cover all cases, and you get back NotApplicable, then
you
probably found an error in the system (which is what you're getting at
above, I think). By "error in the system" I mean that there's some case
you
didn't consider. In practice it may be ok to treat this as a Deny, just
to
be safe, but you'll probably also want to track these cases, since you
want
to go back and figure out why the action wasn't handled and then fix
your
policies. It may be enough to log this event, and then act like you got
a
Deny, or you may want a different error that says something unexpected
happened. I think this depends on what level of detail you want to
expose
to the PEP/Application.

Basically, in most scenarios, I think it's reasonable to assume that
Deny
and NotApplicable are basically the same to the application logic. The
main
difference is usually in the meta-data (eg, logging). For your
application,
it sounds like you don't want to expose NotApplicable to the
application,
and I think that's ok.


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]