OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Proposed resolution to PM-1-05:

I believe the following issue from Issues Version 05 for which I
am listed as the champion can be closed based on our 03/02
Face-to-Face agreements:

ISSUE: PM-1-05: how NOT-APPLICABLE impacts a combinator expression

Resolution: A <rule> will return NOT-APPLICABLE under the
following conditions:

<rule> Truth Table:

  Target   Condition  Effect
  ------   ---------  ------------
  match    match      [Effect]
  match    no-match   Inapplicable
  match    Indet.     Indet.
  no-match match      Inapplicable
  no-match no-match   Inapplicable
  no-match Indet.     Inapplicable

It is up to the combiner in the <policyStatement> that uses a
<rule> to determine the effect of a <rule> that returns
"Inapplicable".  Likewise, it is up to the combiner in the
<policyCombinationStatement> that uses a <policyStatement> to
determine the effect of a <policyStatement> that returns
"Inapplicable".

The example "GLOBAL DENY" combiners proposed in PM-1-01A can be
used to implement "remove inapplicable elements from the
computation" semantics.

The following example combiners can be used to implement
"inapplicable same as deny" semantics.  Such semantics might be
desired where all rules are intended to be applicable, so a
result of inapplicable indicates some breakdown in the
consistency of the system.

INAPPLICABLE GLOBAL DENY RULE COMBINER:

  if (<ruleSet> == null) {
    return "deny";
  }
  for <rule> in <ruleSet> {
    effect = eval(<rule>);
    if (effect == "deny" ||
        effect == "indeterminate" ||
        effect == "inapplicable") {
       return "deny";
  }
  return "permit";


INAPPLICABLE GLOBAL DENY POLICY COMBINER:

  if (<policySet> == null) {
    return "deny"
  }
  for <policy> in <policySet> {
    effect = eval(<policy>);
    if (effect == "deny" ||
        effect == "indeterminate" ||
        effect == "inapplicable") {
      return "deny";
  }
  return "permit";

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC