[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Deny-override
On Mon, 2005-05-23 at 12:04, Kuketayev, Argyn (Contractor) wrote: > I think it just gives the policy writer a little more control on the > evaluation sequence, which may impact the performance of the system. That's the right idea. The ordered algorithm requires that the elements be evaluated in order, while the non-ordered version makes no such requirement. In practice, most systems I know of still evaluate in order, but if you wanted to change the order for performance reasons (or for any other reason), you can with the non-ordered version. Note that it's not the policy writer that has control over re-ordering, but the implementor of the algorithm in the PDP. Because of this, in order to take advantage of re-ordering you need to re-implement the algorithm based on your specific environment. This isn't generally easy, which is why (in my opinion) you don't see this being done all that much. Now, with XACML 2.0, combining algorithms can have parameters, which could be used by _policy writers_ to help make ordering decisions. Of course, in order to use this, you need an algorithm that uses parameters. The standard algorithms don't, so you'd need to come up with a new algorithm anyway. Bottom line, I reccommend to most people that they always use the ordered algorithms, unless there's a clear case where ordering could never matter or where they actually need to re-implement the combining algorithms. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]