RE: [xacml-dev] XACML Target matching question

[Doron Grinstein <doron@bitkoo.com>]

Multiple policies can have the same target in the same PDP.  How their decision results are combined is determined by their parent policy-set’s policy combining algorithm. 

 

If there is no parent policy set (because you have configured the PDP to take multiple root policies), then the PDP will behave as though the multiple root policies were the children of a policy set with a policy combining algorithm of “only one applicable”.  (I don’t recall offhand if this is a requirement of the XACML spec or just a recommendation, you’d need to check the spec doc)

 

In the situation you described, if the PDP were forced to work with multiple root policies, every request would return “Indeterminate” because more than one policy is applicable and that is not acceptable under the implicit “only one applicable” policy combining algorithm.

 

A PDP instance must have a single root policy(set) to evaluate requests against.  If you give the PDP multiple root policies, it will behave as though it created an in-memory policy set to contain the given policies. I hope this brief explanation helps answer your question.

 

 

Doron Grinstein  │ CEO  │ BiTKOO  │ 818-985-4700 Ext. 31 │www.bitkoo.com

 

 

 

From: Security Developer [mailto:security.developer22@gmail.com]
Sent: Saturday, July 16, 2011 2:43 AM
To: xacml-dev@lists.oasis-open.org
Subject: [xacml-dev] XACML Target matching question

 

Hi All,

I have a question regarding XACML target matching.

1 - Is it possible that two policies have the same target in one PDP? suppose

Policy-1

<Policy>
    <Target/>

</Policy>

Policy-2

<Policy>
    <Target/>

</Policy>

Is the above case possible? if yes then which policy is selected by the PDP?

Thanks for your time.

Best Regards.