[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] policy inconsistency
On 5/1/06, Daniel Engovatov <dengovatov@bea.com> wrote: > Why would not it make sense? > > Consider the following scenario: one default policy permits something. Administrator adds a temporary policy to block that - it is much nicer to add a DENY rule, then to edit away rule in the default policy. Later this DENY rule may be revoked. > > I do not see any semantic inconsistency in this usage: this is exactly the reason to have DENY rules and combining algorithm. If not for this kind of rules - there would be little reason to have the DENY effect - as the effect of deny could be handled using only the NOTAPPLICABLE. > > Daniel; you are right, in your example Admin intended to put a policy which "overrides" the existing policy/rule. however, i think that koko meant something else. recently, i was talking about xacml and got a similar question from the audience. the issue is that once you build a large set of policies and rules, there could be unintended "collisions" or inconsistencies. combining algorithms could produce "unexpected" results when multiple policy sets are combined. these effects are not indeterministic, of course, but the result of combining policy sets is not always intuitive. if you have a lot of policies, then it would be useful to find out inconsistent ones. in order to do that one has to define what is exactly "inconsistent" policies. Argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]