[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Re: Boolean Policy resolution
this is not an issue about typos. the fundamental concept is that in a distributed environment an 'external' entity affects the outcome of a decision locally. putting on my security hat for a sec i suggest that anything short of true for ANY conjunctive predicate should yield a false for the overall resolution. a possible solution is differentiating between the behaviors, perhaps having a <and!> in addition to the <and> combinator. the former allows for the ignoring of 'not applicapable', while the latter requires all predicates to resolve true...? i believe that both behviors are valid in different circumstances. b Anne Anderson wrote: > On 31 January, bill parducci writes: Re: [xacml] Re: Boolean Policy resolution > > conversely you have the example: > > > > your dept wants to make sure that requirements of corporate AND > > department are met before allowing access. someone at corporate enters a > > typo that causes the policy to return 'not applicable'. user granted > > access even though they would have been denied such access had the > > policy been written correctly. > > A typo could also cause a policy to return "false" or "true" > incorrectly. I think we have to assume that policies are written > correctly. > > Where we can think of ways to make it more likely that a policy > will be written correctly, however, then by all means let's use > them. I don't think this is one of those ways, however. > > Anne >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC