OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Clarification on Policy References

Hi,

there was a discussion not obviously related to your question on
http://lists.oasis-open.org/archives/xacml-dev/201107/threads.html#00007

Regards,
  Helmut

On 01/31/2013 12:19 PM, David Brossard wrote:
> Hi,
> 
> It depends on how your PDP resolves policy references. The XACML
> standard does not specify how one should implement policy references.
> 
> In the example you gave, the PDP should only "see" the root policy.
> Referenced policies are only meant to be accessed via a reference. With
> that behavior in mind, then, foo-policy only gets accessed via
> root-policy-set and is evaluated only once.
> 
> To be sure I'd ask the people who implemented the PDP engine you're using.
> 
> Quoting the XACML spec (line 1971 of
> http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf):
> 
>     However, the mechanism for resolving a policy reference to the
>     corresponding policy is outside the scope of this specification.
> 
> 
> Note that in your example, policy references is just one issue. If the
> PDP does indeed see all policies regardless of whether they are being
> used as references or not, then how does the PDP combine them? In your
> case, how does the PDP combine root-policy-set with foo-policy with
> bar-policy? This means you want to make sure your PDP only ever handles
> a single policy - the root policy - as an entry point.
> 
> Cheers,
> David. 
> 
> On Thu, Jan 31, 2013 at 12:01 PM, Asela Pathberiya
> <aselapathberiya@gmail.com <mailto:aselapathberiya@gmail.com>> wrote:
> 
>     Hi devs,
> 
>     I have some clarification on run time behavior of a PDP with
>      "PolicyIdReference" and "PolicySetIdReference".  Sorry , if this is
>     already discussed common question. But really appropriate your ideas.  
> 
>     Say in a PDP you have three policies.  
> 
>     root-policy-set --->  foo-policy , bar-policy 
>     foo-policy
>     bar-policy 
>      
>     "root-policy-set" has  "PolicyIdReference"  to "foo-policy" and
>     "bar-policy".  When XACML request. is hit with the PDP, which is
>     applicable with both "root-policy-set" and  "foo-policy" policies,
>     Do PDP want to evaluate both policies?  If,  "foo-policy" would be
>     evaluated two time?  Therefore what would be the recommended way to
>     handle this by the PDP? 
> 
>     Thanks in Advance.
>     Asela.
> 
> 
> 
> 
> -- 
> David Brossard, M.Eng, SCEA, CSTP
> Product Manager
> +46(0)760 25 85 75
> Axiomatics AB
> Skeppsbron 40
> S-111 30 Stockholm, Sweden
> http://www.linkedin.com/companies/536082
> http://www.axiomatics.com
> http://twitter.com/axiomatics

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]