[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE
> Each boolean function should have a proper result of True or False. Then
> there is no problem.
(1 divide 0) GT (INF plus NAN) ?
> That should be part of a recombination algorithm - how you prioritize
> - for that you need a way to communicate such an evaluation result.
> As for scalability - if you need to evaluate a zillion rules, you may
> want to recombine results from several PDP, each dealing with part of
> the policy - say #1, #2, #3 say N/A, as they have no rules for the
> subject, #4 says GRANT, #5 says ERROR, but #5 is the one handling DENY
> rules. If it says N/A, I am not sure it is what we want to have..
> Well, our current model, in your example, policies 1,2,3, and 5 would say
> Indeterminate, while #4 says Permit. However, if #5, by some crystal ball,
> may return a Deny. If that is really your intent, then you need to wrap
> the combination of policies with the Bill Parducci Policy Combinator which
> only gives yields Permit if every policy evaluates to Permit.
But if #5 has no PERMIT effect rules?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC