[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] New Section 7.x: Initial policy
I think this is an excellent proposal. Thanks. -Anne
"Polar Humenn" <polar@syr.edu> wrote:
>Date: Wed, 9 Oct 2002 17:38:16 -0400 (EDT)
>
>C.4 Only-one-applicable-policy
>
>The following specification defines the "Only One Applicable Policy"
>policy-combining algorithm of a policy set.
>
>In the entire set of policies in the policy set, if no policy is
>considered applicable by virtue of their targets, then the result of the
>policy combination algorithm SHALL be "NotApplicable". If more than one
>policy is considered applicable by virtue of their targets, then the
>result of the policy combination algorithm SHALL be "Interdeterminate".
>If only one policy is considered applicable by evaluation of the policy
>targets, then the result of the policy combining algorithm SHALL be the
>result of evaluating the policy.
>
>If an error occurs while evaluating the target of a policy, or a reference
>to a policy is considered invalid or the policy evaluation results in
>"Indeterminate, then the policy set SHALL evaluate to "Indeterminate".
>
>The following pseudo-code represents the evaluation strategy of this
>policy combining algorithm.
>
>Decision onlyOneApplicablePolicyPolicyCombinginAlogrithm(Policy policy[])
>{
> Boolean atLeastOne = false;
> Policy selectedPolicy = null;
>
> for ( i = 0; i < lengthOf(policy) ; i++ )
> {
> if ( isApplicable(policy[i]) )
> {
> if ( atLeastOne )
> {
> return Indeterminate;
> }
> else
> {
> atLeastOne = true;
> selectedPolicy = policy[i];
> }
> }
> }
> if ( atLeastOne )
> {
> return evaluate(selectedPolicy);
> }
> else
> {
> return NotApplicable;
> }
>}
>
>
>Then in Chapter 7.x
>
>A PDP SHALL represent one Policy, or PolicySet. Should the PDP be dynamic
>in nature in retrieving policies based on the request, the PDP SHALL act
>as if represents a single Policy Set with the "Only One Applicable Policy"
>policy combining algorithm.
>
>
>----
>
>This way, with the single PEP-PDP model, and the single PDP to single
>PolicySet model, we tighten up all the evaluation semantics.
>
>Cheers,
>-Polar
>
>On Tue, 8 Oct 2002, Anne Anderson wrote:
>
>> CR: Add new section to Chapter 7 to describe requirements on the
>> initial policy used by the PDP.
>>
>> Rationale: clarify the requirements on initial policy.
>>
>> Text:
>>
>> 7.x Initial policy
>>
>> A PDP MUST have a means of obtaining either zero initial
>> applicable policies or one initial applicable policy for a given
>> <Request>. If the PDP has zero initial applicable policies, then
>> the PDP MUST return a result of "NotApplicable". If the PDP has
>> more than one initial applicable policy, then the PDP MUST return
>> a result of "Indeterminate" (due to "Initial policy not unique").
>> If the PDP can determine a single initial applicable policy by
>> assuming that there is only one, then the PDP MUST return the
>> result of evaluating that policy. If the PDP is unable to
>> determine whether there is only a single applicable policy (such
>> as obtaining an "Indeterminate" result when comparing the
>> <Request> against the <Target> of a policy candidate), then the
>> PDP MUST return a result of "Indeterminate" (due to "Error in
>> obtaining initial policy").
>>
>> The single initial policy MAY be configured as part of the PDP.
>>
>> The single initial policy MAY be retrieved from among multiple
>> candidates from a repository, based on matching the <Request>
>> against the <Target> elements of the candidates. There MUST be
>> only one policy in the repository that will match any given
>> <Request>. The PDP MUST be implemented to assume there is only
>> one match, such that, if a candidate policy is found, no further
>> search for candidates is performed. However, if multiple matches
>> are unavoidably encountered by the implementation, then the PDP
>> MUST return a result of "Indeterminate" (due to "Initial policy
>> not unique").
>>
>> The single initial policy MAY be constructed by the PIP based on
>> a single configured Policy Combining Algorithm and a set of
>> policies retrieved from among multiple candidates in a
>> repository, based on matching the <Request> against the <Target>
>> elements of the candidates. In this case, there MAY be more than
>> one policy in the repository that matches a given <Request>. In
>> this case, if the evaluation of the <Target> of any candidate
>> policy returns a result of "Indeterminate", then that candidate
>> policy MUST be included in the set of policies from which the
>> single initial policy is constructed.
>>
>> Anne
>> --
>> Anne H. Anderson Email: Anne.Anderson@Sun.COM
>> Sun Microsystems Laboratories
>> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
>> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>>
>>
>> ----------------------------------------------------------------
>> To subscribe or unsubscribe from this elist use the subscription
>> manager: <http://lists.oasis-open.org/ob/adm.pl>
>>
>
Anne
---------
Anne Anderson Anne.Anderson@Sun.COM
Internet Security Research Group
Sun Labs, Burlington, MA Phone: 781-442-0928
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC