OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Proposed resolution to PM-1-01-A: Implementing global deny

I believe the following issue from Issues Version 05 for which I
am listed as the champion can be closed based on our 03/02
Face-to-Face agreements:

ISSUE: PM-1-01-A: Implementing global deny and Meta-Policies

Resolution: the syntax for <rule> allows for the <rule> to return
an <effect> of "permit" or "deny".  It is up to the combiner in
the <policyStatement> that uses a <rule> to determine the effect
of a <rule> that returns "deny".  Likewise, it is up to the
combiner in the <policyCombinationStatement> that uses a
<policyStatement> to determine the effect of a <policyStatement>
that returns "deny".

The following example combiners can be used to implement "global
deny" semantics for a <rule>.  Since an "indeterminate" rule
might have evaluated to "deny" if sufficient information had been
supplied, these examples treat "indeterminate" results like
"deny".

GLOBAL DENY RULE COMBINER:

  for <rule> in <ruleSet> {
    boolean atLeastOnePermit = false;
    effect = eval(<rule>);
    if (effect == "deny" || effect == "indeterminate") {
       return "deny";
    } else if (effect == "permit") {
       atLeastOnePermit = true;
    }
  }
  if (atLeastOnePermit) {
    return "permit";
  } else {
    return "not applicable";
  }

GLOBAL DENY POLICY COMBINER:

  for <policy> in <policySet> {
    boolean atLeastOnePermit = false;
    effect = eval(<policy>);
    if (effect == "deny" || effect == "indeterminate") {
      return "deny";
    } else if (effect == "permit") {
      atLeastOnePermit = true;
    }
  }
  if (atLeastOnePermit) {
    return "permit";
  } else {
    return "not applicable";
  }

Policy and policy combination writers that do not wish to support
"global deny" semantics can specify different combiners.

Policy combination writers should publish the combiner they use
to policy writers so that consistent semantics are maintained: if
a policy combination writer is implementing "global deny", then
the policy writers should be aware that returning an effect of
"deny" will by itself result in denial of access.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC