[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.
On 17 October, Polar Humenn writes: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.
> This sentence means exactly what it says. If the the selector or
> designator evalutates to an empty bag, then there is no match, i.e. the
> match "predicate" is False.
Isn't this in direct contradiction to your proposed text for
"7.4.2.2 Missing Attributes":
7.4.2.2 Missing Attributes
The PDP SHALL consider an attribute as missing if it
evaluates an expression that requires at least one value to
be present from an attribute designator or selector. In this
case, the expression evaluates to "indeterminate". The PDP
may carry the missing attribute upward in its indeterminate
value in accordance with the XACML evaluation strategy of the
encompassing expressions, rules, policies, and policy
sets. If the PDP evaluates its policy or policy set to
Indeterminate with a missing attribute, the PDP MAY list the
AttributeId and DataType of that attribute in the result as
described in Section 7.5 "Authorization decision". However,
the PDP MAY choose not to issue such information due to
security concerns.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC