[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] New Section 7.x: Initial policy
I think this is an excellent proposal. Thanks. -Anne "Polar Humenn" <polar@syr.edu> wrote: >Date: Wed, 9 Oct 2002 17:38:16 -0400 (EDT) > >C.4 Only-one-applicable-policy > >The following specification defines the "Only One Applicable Policy" >policy-combining algorithm of a policy set. > >In the entire set of policies in the policy set, if no policy is >considered applicable by virtue of their targets, then the result of the >policy combination algorithm SHALL be "NotApplicable". If more than one >policy is considered applicable by virtue of their targets, then the >result of the policy combination algorithm SHALL be "Interdeterminate". >If only one policy is considered applicable by evaluation of the policy >targets, then the result of the policy combining algorithm SHALL be the >result of evaluating the policy. > >If an error occurs while evaluating the target of a policy, or a reference >to a policy is considered invalid or the policy evaluation results in >"Indeterminate, then the policy set SHALL evaluate to "Indeterminate". > >The following pseudo-code represents the evaluation strategy of this >policy combining algorithm. > >Decision onlyOneApplicablePolicyPolicyCombinginAlogrithm(Policy policy[]) >{ > Boolean atLeastOne = false; > Policy selectedPolicy = null; > > for ( i = 0; i < lengthOf(policy) ; i++ ) > { > if ( isApplicable(policy[i]) ) > { > if ( atLeastOne ) > { > return Indeterminate; > } > else > { > atLeastOne = true; > selectedPolicy = policy[i]; > } > } > } > if ( atLeastOne ) > { > return evaluate(selectedPolicy); > } > else > { > return NotApplicable; > } >} > > >Then in Chapter 7.x > >A PDP SHALL represent one Policy, or PolicySet. Should the PDP be dynamic >in nature in retrieving policies based on the request, the PDP SHALL act >as if represents a single Policy Set with the "Only One Applicable Policy" >policy combining algorithm. > > >---- > >This way, with the single PEP-PDP model, and the single PDP to single >PolicySet model, we tighten up all the evaluation semantics. > >Cheers, >-Polar > >On Tue, 8 Oct 2002, Anne Anderson wrote: > >> CR: Add new section to Chapter 7 to describe requirements on the >> initial policy used by the PDP. >> >> Rationale: clarify the requirements on initial policy. >> >> Text: >> >> 7.x Initial policy >> >> A PDP MUST have a means of obtaining either zero initial >> applicable policies or one initial applicable policy for a given >> <Request>. If the PDP has zero initial applicable policies, then >> the PDP MUST return a result of "NotApplicable". If the PDP has >> more than one initial applicable policy, then the PDP MUST return >> a result of "Indeterminate" (due to "Initial policy not unique"). >> If the PDP can determine a single initial applicable policy by >> assuming that there is only one, then the PDP MUST return the >> result of evaluating that policy. If the PDP is unable to >> determine whether there is only a single applicable policy (such >> as obtaining an "Indeterminate" result when comparing the >> <Request> against the <Target> of a policy candidate), then the >> PDP MUST return a result of "Indeterminate" (due to "Error in >> obtaining initial policy"). >> >> The single initial policy MAY be configured as part of the PDP. >> >> The single initial policy MAY be retrieved from among multiple >> candidates from a repository, based on matching the <Request> >> against the <Target> elements of the candidates. There MUST be >> only one policy in the repository that will match any given >> <Request>. The PDP MUST be implemented to assume there is only >> one match, such that, if a candidate policy is found, no further >> search for candidates is performed. However, if multiple matches >> are unavoidably encountered by the implementation, then the PDP >> MUST return a result of "Indeterminate" (due to "Initial policy >> not unique"). >> >> The single initial policy MAY be constructed by the PIP based on >> a single configured Policy Combining Algorithm and a set of >> policies retrieved from among multiple candidates in a >> repository, based on matching the <Request> against the <Target> >> elements of the candidates. In this case, there MAY be more than >> one policy in the repository that matches a given <Request>. In >> this case, if the evaluation of the <Target> of any candidate >> policy returns a result of "Indeterminate", then that candidate >> policy MUST be included in the set of policies from which the >> single initial policy is constructed. >> >> Anne >> -- >> Anne H. Anderson Email: Anne.Anderson@Sun.COM >> Sun Microsystems Laboratories >> 1 Network Drive,UBUR02-311 Tel: 781/442-0928 >> Burlington, MA 01803-0902 USA Fax: 781/442-1692 >> >> >> ---------------------------------------------------------------- >> To subscribe or unsubscribe from this elist use the subscription >> manager: <http://lists.oasis-open.org/ob/adm.pl> >> > Anne --------- Anne Anderson Anne.Anderson@Sun.COM Internet Security Research Group Sun Labs, Burlington, MA Phone: 781-442-0928
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC