RE: [xacml-users] Combining algorithms and "AND" and "OR"

["Kuketayev, Argyn \(Contractor\)" <argyn_kuketayev@fanniemae.com>]

> -----Original Message-----
> From: srinivas.sridhara@nokia.com 
> [mailto:srinivas.sridhara@nokia.com] 
> Sent: Wednesday, April 13, 2005 4:17 PM
> To: Anne.Anderson@Sun.COM; Kuketayev, Argyn (Contractor)
> Cc: xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] Combining algorithms and "AND" and "OR"
> 
> 
> Does "deny-override" mean that the result of combining a set 
> of policies is "deny" no matter what the other policies 
> evaluate to (i.e. Permit, Indeterminate or NotApplicable) as 
> long as one policy evaluates to Deny. 

Yes

> Or does Deny-override 
> apply only to those policies which evaluate to permit or 
> deny. 

No. One example: suppose there was a rule, which effects in "Deny", but
due to errors returned "Indeterminate". If this result is combined with
other rules returning "Permit", the combined result will be "Deny" as
far as I remember.

Also, deny-override has two types, one for policies and one for rules.
There are significant differences between them. 

> A similar thought for Permit-override too!

This algorithm deals with "Not applucable" and "Indeterminate" in a
different way.



Thanks,
argyn