[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] bags and targets. Forwarded message from Seth Proctor .
b) If I try to use an attribute whose retrieval could fail in a Target, then the Target will evaluate to NotApplicable. This will happen even if a temporary network glitch was the cause for the attribute retrieval failure, and even if the policy has a "Deny" effect and would have caused me to deny access had the attribute been available. --------------------------- Couple more notes.. In the same fashion your rule repository could break or hacked in. There are many of modes to break down, but the system stability is hardly a concern for the authorization logic, is it? Also - empty bag is NOT a failed retrieval. Failed retrieval MUST result in Indeterminate. Empty bag means that context was verified intact, working and lacking a particular named attribute value. If the presense of such attribute was required by the rule logic - it is a missing attribute, expressed as Indeterminate value, as in Polar's one-and-only example.. Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC