[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Boolean Policy resolution - a slight modification
Hi Bill, You still have the problem for including your proposed "<join>" components with other combinations of "<and>" and "<or>". So, I think it doesn't really buy you much more. I may have a good sound evaluation strategy by later today. Performing the work on the lattice had actually got me to think of the problem a litte harder. Cheers, -Polar On Thu, 7 Feb 2002, bill parducci wrote: > it seems that we are actually trying to solve two problems with the > '<and>' issue: > > 1. determining applicability of [sub]policies > 2. determining evaluation result of resulting policy > > as i have stated in prior notes, i am not in favor of a policy resolving > to true where any of the predicates evaluate to anything other than true > and are combined with an '<and>' (true = true + n/a). on the other hand > i support the idea of policy inclusion logic using this mechanism as hal > has proposed below. > > in thinking more about this it seems that these functions should be > handled separately (syntactically). what came to mind is the concept of > a 'join'. it seems to me that behavior we are looking for with respect > to aggregate policies ('use if it applies, ignore otherwise') is more in > line with a 'join' than 'and'. > > <join> > <applicablePolicyReference> > xprp://policy.sample.com/$TargetValues > </applicablePolicyReference> > </join> > > this leaves the term '<and>' with the forcefulness that i believe is > appropriate. > > does this make sense? > > b > > -------- Original Message -------- > Subject: RE: [xacml] Boolean Policy resolution - a slight modification > Date: Thu, 31 Jan 2002 11:02:57 -0500 > From: Hal Lockhart <hal.lockhart@entegrity.com> > To: "'Anne Anderson'" <Anne.Anderson@Sun.com>, XACML TC > <xacml@lists.oasis-open.org> > > [...] > > > Since this can return multiple applicable policies, I further propose > > that the surrounding combinator treat each returned applicable policy as > > if it were a distinct predicate. In other words (Polar should like this) > > this: > > > > <and> > > <applicablePolicyReference> > > xprp://policy.sample.com/$TargetValues > > </applicablePolicyReference> > > </and> > > > > means that value of each applicable policy returned is anded with the > > others (and any other retrevial points with in the combinator), as usual > > dropping the ones that turn out to be inapplicable. > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC