OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] policy inconsistency


Another aspect of policy inconsistency is that, unless two Rules are 
identical other than their stated "Effect", then consistency in XACML is 
specific to a particular set of Request Contexts.  For some Contexts, 
the two Rules might return Permit/Deny.  For other requests, the two 
Rules might return identical results.  For still others, one policy 
might return Not Applicable and another policy might return Permit or 
Deny.  With very expressive Condition language AND very rich Request 
Contexts, there are many ways for two policies to return "inconsistent" 
results.

Anne



Argyn wrote On 05/01/06 14:18,:
> On 5/1/06, Daniel Engovatov <dengovatov@bea.com> wrote:
> 
>> Why would not it make sense?
>>
>> Consider the following scenario: one default policy permits 
>> something.  Administrator adds a temporary policy to block that - it 
>> is much nicer to add a DENY rule, then to edit away rule in the 
>> default policy.  Later this DENY  rule may be revoked.
>>
>> I do not see any semantic inconsistency in this usage: this is exactly 
>> the reason to have DENY rules and combining algorithm.  If not for 
>> this kind of rules - there would be little reason to have the DENY 
>> effect - as the effect of deny could be handled using only the 
>> NOTAPPLICABLE.
>>
>> Daniel;
> 
> 
> you are right, in your example Admin intended to put a policy which
> "overrides" the existing policy/rule.
> 
> however, i think that koko meant something else. recently, i was
> talking about xacml and got a similar question from the audience. the
> issue is that once you build a large set of policies and rules, there
> could be unintended "collisions" or inconsistencies. combining
> algorithms could produce "unexpected" results when multiple policy
> sets are combined. these effects are not indeterministic, of course,
> but the result of combining policy sets is not always intuitive. if
> you have a lot of policies, then it would be useful to find out
> inconsistent ones. in order to do that one has to define what is
> exactly "inconsistent" policies.
> 
> Argyn
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the
> XACML OASIS Standard. To minimize spam in the archives, you
> must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]