[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Action Item on CR 19
I agree with Carlisle that the problem he states needs to be reckoned with
CR 19. The current algorithm breaks monotonicity in the evaluation of the
First Applicable Policy Combining algorithm, as he points out. It should
model the rule combinging algorithm.
We should modify the current document by replacing the following
paragraph:
If there is any error evaluating the target or the policy, or a reference
to a policy is considered invalid, then the evaluation shall continue
looking for an applicable policy, if no applicable policy is found, then
the result of the combination is "Indeterminate".
with:
If there is any error evaluating the target, or while evaluating a
specific policy, the reference to the policy is considered invalid, or the
policy itself evaluates to "Indeterminate", then the evaluation of the
combining algorithm shall halt, and the result shall be "Indeterminate"
with an appropriate error status.
The pseudo code should say:
Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policy[])
{
for( i = 0 ; i < lengthOf(policy) ; i++ )
{
Decision decision = evaluate(policy[i]);
if(decision == Deny)
{
return Deny;
}
if(decision == Permit)
{
return Permit;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
return Indeterminate;
}
}
return NotApplicable;
}
Cheers,
-Polar
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC