[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Handling NotApplicable
On Mon, Oct 04, 2004 at 05:14:01PM -0400, Kuketayev, Argyn wrote: > How do you handle NotApplicable? > [...] > What to do with NotApplicable decision? I decided that it's bad thing to > have this, because in my case it indicates that policy wasn't found or > something more serious. So, I log this as an error or alert. Unlike, > "Deny" this should be dealt with. This is a good question. In my opinion, there are three reasons why you might see a response of NotApplicable: 1. The PDP you queried doesn't have a policy covering the request, but there are multiple PDPs that can be queried 2. The PDP you queried doesn't have a policy covering the request, because in your policies you're only explicit about a sub-set of possible actions, and all others are implicitly Deny cases 3. The PDP you queried doesn't have a policy covering the request, but it's supposed to produce a real answer The first case seems pretty straight-forward. You try one source, and if it says NotApplicable you try others, until you get an answer or you exhaust your sources (then see 2 and 3). I'm calling this case out for full discolsure only, since I doubt you care about this in your system. The second case is probably the most common one. You've only written rules to handle a set of specific actions, but you haven't bothered cover all the corner cases. Here, you're implicitly covering all NotApplicable decisions by saying they should appear to the PEP the same as Deny. If this is what you're doing, then I think it's fine to take the same action on a Deny and on a NotApplicable, since to the PEP and the application-specific logic it's the same case. The third case is what makes this a little more tricky. If you have a PDP that's supposed to cover all cases, and you get back NotApplicable, then you probably found an error in the system (which is what you're getting at above, I think). By "error in the system" I mean that there's some case you didn't consider. In practice it may be ok to treat this as a Deny, just to be safe, but you'll probably also want to track these cases, since you want to go back and figure out why the action wasn't handled and then fix your policies. It may be enough to log this event, and then act like you got a Deny, or you may want a different error that says something unexpected happened. I think this depends on what level of detail you want to expose to the PEP/Application. Basically, in most scenarios, I think it's reasonable to assume that Deny and NotApplicable are basically the same to the application logic. The main difference is usually in the meta-data (eg, logging). For your application, it sounds like you don't want to expose NotApplicable to the application, and I think that's ok. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]