Re: [xacml] Proposed resolution to PM-1-02: Post-Conditions

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 25 March, Polar Humenn writes: Re: [xacml] Proposed resolution to PM-1-02: Post-Conditions
 > You will have to explain explicitly the "collection" of obligations as
 > well, correct?
 >
 > On Mon, 25 Mar 2002, Anne Anderson wrote:
 > > I suggest two additional "standard" combiners other than
 > > GLOBAL-DENY:
 > >
 > >   AT-LEAST-ONE-PERMIT
 > >
 > >      Permit if at least one policy in the policy set or rule in
 > >      the rule set returns an effect of "permit" (similar to a
 > >      logical OR).
 > >
 > >   ALL-APPLICABLE-PERMIT
 > >
 > >      Permit only if all applicable rules or policies return an
 > >      effect of "permit" (similar to a logical AND).

I should amend the proposed rules to say "otherwise, return an
effect of "deny".  Now I think the general rule for collectin
obligations applies:

  "The set of obligations returned by each level of evaluation includes only
  those obligations associated with the effect element being returned by the
  given level of evaluation.  For example, a policy set may include some
  policies that return Permit and other policies that return Deny for a given
  request evaluation. If the policy combiner returns a result of Permit, then
  only those obligations associated with the policies that returned Permit
  are returned to the next higher level of evaluation.  If the PDP's
  evaluation is viewed as a tree of policyCombinationStatements,
  policyStatements, and rules, each of which returns "Permit" or "Deny", then
  the set of obligations returned by the PDP will include only the
  obligations associated with paths where the effect at each level of evaluation
  is the same as the effect being returned by the PDP."

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692