[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Syntax and semantics for an applicable policy
I propose that an <applicablePolicy> be the unit of evaluation. It consists of the following basic elements: <applicablePolicy> <subject>"optional simple R.E. that subject must match"</subject> <resource>"optional simple R.E. that resource must match"</resource> <action>"optional simple R.E. that action must match"</action> <additionalConditions>[optional arbitrary boolean expression]</addtionalConditions> <policy> [arbitrary combinator expression that can reference other applicablePolicies] </policy> </applicablePolicy> A referencedPolicy is evaluated as follows: 1. If <subject> condition exists, evaluate it. If false, return "not-applicable". If error (should not occur), return "error". 2. If <resource> condition exists, evaluate it. If false, return "not-applicable". If error (should not occur), return "error". 3. If <action> condition exists, evaluate it. If false, return "not-applicable". If error (should not occur), return "error". 4. If <additionalConditions> exist, evaluate them. If result is not true, return result. 5. Evaluate policy. Return result. Vendors that want to index policies can index on the <subject>, <resource>, or <action> (or more than one) element. A missing <subject> element means "potentially applies to all subjects", etc. Simon's rules can be expressed using this syntax. To make the combinator expression semantics clear, I propose we use combinator attributes such as <AND not-applicable=ignore error=false> where the options for "not-applicable" or "error" are "ignore", "true", "false", "propagate", "error", or "not-applicable". "Ignore" means eliminate any "not-applicable" referenced policies from the expression before evaluating. "Propagate" means if a "not-applicable" or "error" is encountered, then the result of the entire combinator expression immediately becomes "not-applicable" or "error". "not-applicable=error" means treat a not-applicable referencedpolicy as an error. "error=not-applicable" means treat a referencedPolicy that returns error as not-applicable. I don't think all combinations of attribute values are very meaningful, but we would know how to evaluate. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC