Re: [xacml] [CR] New Section 7.x: Initial policy

[Anne Anderson <Anne.Anderson@Sun.com>]

A PDP may encounter a situation where it finds multiple policies,
despite our statement that it MUST NOT.  I am trying to provide
guidance for the implementer on how to handle this situation.

A typical, skilled implementor known to me, who shall remain
unnamed, wanted to know if he/she should write her/his
implementation to *verify* that there is only one and what to
return if more than one were encountered.

So this is a real question that implementors want to know the
answer to.

-Anne

On 8 October, Polar Humenn writes: Re: [xacml] [CR] New Section 7.x: Initial policy
 > Again, this is up to configuration of the PDP. You either say that the PDP
 > is represented by ONE and only ONE policy and leave it at that.
 > 
 > If you go multiple Policy, then things are up for grabs.  You are sort of
 > outlining a twist on the First Applicable combining algorithm with some
 > mandated configuration.
 > 
 > But, there are no configuration interfaces for the PDP, so how can you
 > enforce what its configuration has to be?
 > 
 > I suggest that we either say that a PDP is represented by ONE and only ONE
 > policy (of where everything is specified by XACML policy), or its up to
 > the configuration, and or its mangament interfaces, if it has any.
 > 
 > -Polar
 > 
 > On Tue, 8 Oct 2002, Anne Anderson wrote:
 > 
 > > CR: Add new section to Chapter 7 to describe requirements on the
 > > initial policy used by the PDP.
 > >
 > > Rationale: clarify the requirements on initial policy.
 > >
 > > Text:
 > >
 > > 7.x Initial policy
 > >
 > > A PDP MUST have a means of obtaining either zero initial
 > > applicable policies or one initial applicable policy for a given
 > > <Request>.  If the PDP has zero initial applicable policies, then
 > > the PDP MUST return a result of "NotApplicable".  If the PDP has
 > > more than one initial applicable policy, then the PDP MUST return
 > > a result of "Indeterminate" (due to "Initial policy not unique").
 > > If the PDP can determine a single initial applicable policy by
 > > assuming that there is only one, then the PDP MUST return the
 > > result of evaluating that policy.  If the PDP is unable to
 > > determine whether there is only a single applicable policy (such
 > > as obtaining an "Indeterminate" result when comparing the
 > > <Request> against the <Target> of a policy candidate), then the
 > > PDP MUST return a result of "Indeterminate" (due to "Error in
 > > obtaining initial policy").
 > >
 > > The single initial policy MAY be configured as part of the PDP.
 > >
 > > The single initial policy MAY be retrieved from among multiple
 > > candidates from a repository, based on matching the <Request>
 > > against the <Target> elements of the candidates.  There MUST be
 > > only one policy in the repository that will match any given
 > > <Request>.  The PDP MUST be implemented to assume there is only
 > > one match, such that, if a candidate policy is found, no further
 > > search for candidates is performed.  However, if multiple matches
 > > are unavoidably encountered by the implementation, then the PDP
 > > MUST return a result of "Indeterminate" (due to "Initial policy
 > > not unique").
 > >
 > > The single initial policy MAY be constructed by the PIP based on
 > > a single configured Policy Combining Algorithm and a set of
 > > policies retrieved from among multiple candidates in a
 > > repository, based on matching the <Request> against the <Target>
 > > elements of the candidates.  In this case, there MAY be more than
 > > one policy in the repository that matches a given <Request>.  In
 > > this case, if the evaluation of the <Target> of any candidate
 > > policy returns a result of "Indeterminate", then that candidate
 > > policy MUST be included in the set of policies from which the
 > > single initial policy is constructed.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692