OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [CR] Add Default-deny policy combination algorithm

Add normative, mandatory-to-implement Default-deny policy
combination algorithm.

Text to be added as new section in Appendix C.

The following specification defines the "Default Deny" policy
combining algorithm of a policy set.

   In the entire set of policies to be evaluated, if any policy
   evaluates to Deny, then the result of the policy combination
   shall be Deny.  In other words, Deny takes precedence,
   regardless of the result of evaluating any of the other
   policies in the combination.  If all policies are found not to
   be applicable to the request, the policy combination returns
   Deny.  If there is any error evaluating the target of a
   policy, or a reference to a policy is considered invalid, or
   the policy evaluation results in Indeterminate, then the
   result of the combination shall be Deny.

The following pseudo code represents the evaluation strategy of
this policy-combining algorithm.

   Decision defaultDenyPolicyCombiningAlgorithm(Policy policies[])
   {
       Boolean atLeastOnePermit = false;
       for ( i=0 ; i < lengthOf(policies) ; i++ )
       {
           Decision decision = evaluate(policies[i]);
           if (decision == Deny)
           {
               return Deny;
           }
           if (decision == Permit)
           {
               atLeastOnePermit = true;
               continue;
           }
           if (decision == NotApplicable)
           {
               continue;
           }
           if (decision == Indeterminate)
           {
               return Deny;
           }
       }
       if (atLeastOnePermit)
       {
           return Permit;
       }
       return NotApplicable;
   }

Obligations of the individual policies shall be combined as
described in Section "Obligations."

Rationale:

   [The Bill Parducci Memorial Combination Algorithm] At the top
   level, a PDP may want to return Deny where  Deny-Overrides
   would have returned NotApplicable.  In other words, the PDP
   will return Deny unless the request is explicitly permitted
   and not explicitly denied.

   This combination algorithm may be used with underlying
   algorithms of either Permit-Overrides or Deny-Overrides to
   convert Indeterminate or NotApplicable results to Deny.
   
Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC