[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Clarification on Policy References
Hi, there was a discussion not obviously related to your question on http://lists.oasis-open.org/archives/xacml-dev/201107/threads.html#00007 Regards, Helmut On 01/31/2013 12:19 PM, David Brossard wrote: > Hi, > > It depends on how your PDP resolves policy references. The XACML > standard does not specify how one should implement policy references. > > In the example you gave, the PDP should only "see" the root policy. > Referenced policies are only meant to be accessed via a reference. With > that behavior in mind, then, foo-policy only gets accessed via > root-policy-set and is evaluated only once. > > To be sure I'd ask the people who implemented the PDP engine you're using. > > Quoting the XACML spec (line 1971 of > http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf): > > However, the mechanism for resolving a policy reference to the > corresponding policy is outside the scope of this specification. > > > Note that in your example, policy references is just one issue. If the > PDP does indeed see all policies regardless of whether they are being > used as references or not, then how does the PDP combine them? In your > case, how does the PDP combine root-policy-set with foo-policy with > bar-policy? This means you want to make sure your PDP only ever handles > a single policy - the root policy - as an entry point. > > Cheers, > David. > > On Thu, Jan 31, 2013 at 12:01 PM, Asela Pathberiya > <aselapathberiya@gmail.com <mailto:aselapathberiya@gmail.com>> wrote: > > Hi devs, > > I have some clarification on run time behavior of a PDP with > "PolicyIdReference" and "PolicySetIdReference". Sorry , if this is > already discussed common question. But really appropriate your ideas. > > Say in a PDP you have three policies. > > root-policy-set ---> foo-policy , bar-policy > foo-policy > bar-policy > > "root-policy-set" has "PolicyIdReference" to "foo-policy" and > "bar-policy". When XACML request. is hit with the PDP, which is > applicable with both "root-policy-set" and "foo-policy" policies, > Do PDP want to evaluate both policies? If, "foo-policy" would be > evaluated two time? Therefore what would be the recommended way to > handle this by the PDP? > > Thanks in Advance. > Asela. > > > > > -- > David Brossard, M.Eng, SCEA, CSTP > Product Manager > +46(0)760 25 85 75 > Axiomatics AB > Skeppsbron 40 > S-111 30 Stockholm, Sweden > http://www.linkedin.com/companies/536082 > http://www.axiomatics.com > http://twitter.com/axiomatics
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]