[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Discussion summary and revised post-condition proposa l
The way I see it here, with Carlisle's answers, leaving out the discussion on Indeterminate for now, there is no way for you to interpret the "all-must-permit" without evaluating *ALL* it's constituents because you have to compile each policy's obligations. You're obligations are scoped to the policy evaluation of the policy they appear in, and not the final result. which is illustrated by your line: > > Permit Deny Deny: S, E Because Policy A Permits, and Policy B Denies, you do not havve the obligations of Q included for a deny on Policy A. You seem to be consitent (and quite understandably so!) in this regard. This scenario means that each policy MUST be evaluated to figure out whether to include its obligations or not. This situation is also illustrated by your following two lines: > > Deny Permit Deny: Q, E > > Deny Deny Deny: Q, S, E Where the Policy B Deny includes its E. One would think that if Policy A, denies, in a combinator, "all-must-permit", one would not care to evaluate Policy B at all, but must, to see if it should include the proper obligations, in this case E. Of course, we can write all kinds of combinators, thousands of them, for different evaluation strategies. all must permit, evaluate all for obligations all permit until one denies, take its deny obligations. etc. I'll have more on the subject later, but first. LUNCH! Cheers, -Polar On Thu, 21 Feb 2002, bill parducci wrote: > Carlisle Adams wrote: > > > Hi, > > > > I've filled in the column for Policy C below. > > [...] > > > Policy A Policy B Policy C > > ------------------------------------ > > Permit Permit Permit: P, R, and D > > Permit Deny Deny: S, E > > Permit Indeterminate Indeterminate: no obligations > > Deny Permit Deny: Q, E > > Deny Deny Deny: Q, S, E > > Deny Indeterminate Deny: Q, E > > Indeterminate Permit Indeterminate: no obligations > > Indeterminate Deny Deny: S, E > > Indeterminate Indeterminate Indeterminate: no obligations > > curious as to how you arrived at these: > > > Policy A Policy B Policy C > > ------------------------------------ > > Permit Indeterminate Indeterminate: no obligations > > Indeterminate Permit Indeterminate: no obligations > > Indeterminate Indeterminate Indeterminate: no obligations > > given that policy C has this: > > > <All-must-permit> > > Policy-A > > Policy-B > > </all-must-permit> > > my read is that these would be resolved thus: > > Policy A Policy B Policy C > ------------------------------------ > Permit Indeterminate Deny: E > Indeterminate Permit Deny: E > Indeterminate Indeterminate Deny: E > > b > > p.s. great example, polar! > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC