OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Syntax and semantics for an applicable policy

I propose that an <applicablePolicy> be the unit of evaluation.
It consists of the following basic elements:

  <applicablePolicy>
     <subject>"optional simple R.E. that subject must match"</subject>
     <resource>"optional simple R.E. that resource must match"</resource>
     <action>"optional simple R.E. that action must match"</action>
     <additionalConditions>[optional arbitrary boolean expression]</addtionalConditions>
   <policy>
     [arbitrary combinator expression that can reference other applicablePolicies]
   </policy>
  </applicablePolicy>

A referencedPolicy is evaluated as follows:
1. If <subject> condition exists, evaluate it.  If false, return
   "not-applicable".  If error (should not occur), return "error".
2. If <resource> condition exists, evaluate it.  If false, return
   "not-applicable".  If error (should not occur), return "error".
3. If <action> condition exists, evaluate it.  If false, return
   "not-applicable".  If error (should not occur), return
   "error".
4. If <additionalConditions> exist, evaluate them.  If result is
   not true, return result.
5. Evaluate policy.  Return result.

Vendors that want to index policies can index on the <subject>,
<resource>, or <action> (or more than one) element.  A missing
<subject> element means "potentially applies to all subjects",
etc.

Simon's rules can be expressed using this syntax.

To make the combinator expression semantics clear, I propose we
use combinator attributes such as

   <AND not-applicable=ignore error=false>

where the options for "not-applicable" or "error" are "ignore",
"true", "false", "propagate", "error", or "not-applicable".
"Ignore" means eliminate any "not-applicable" referenced policies
from the expression before evaluating.  "Propagate" means if a
"not-applicable" or "error" is encountered, then the result of
the entire combinator expression immediately becomes
"not-applicable" or "error".  "not-applicable=error" means treat
a not-applicable referencedpolicy as an error.
"error=not-applicable" means treat a referencedPolicy that
returns error as not-applicable.

I don't think all combinations of attribute values are very
meaningful, but we would know how to evaluate.


-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC