Section 7.2 Base policy (was A single tree?)

[Anne Anderson <Anne.Anderson@Sun.COM>]

I think "Section 7. Functional requirements", "7.2 Base policy"
can be clarified.

Here are the essential points:
1) PolicyCombiningAlgorithm is the only defined way for a PDP to
   deal with multiple PolicySet or Policy instances.  This means
   the PDP's ultimate evaluation interface can only evaluate one
   PolicySet or Policy for a given Request.
2) We do not want to constrain where or how this one applicable
   PolicySet or Policy is created.  It might be created by the
   policy authoring mechanism, by the policy storage mechanism,
   by the policy indexing mechanism, or by the policy retrieval
   mechanism.
3) For well-defined behavior, we need to define a default for the
   case where multiple Policy or PolicySet instances apply.

Here is a suggested wording:

  A PDP SHALL evaluate only one Policy or PolicySet instance with
  respect to any given Request Context.  This specification does
  not constrain how or when this single Policy or PolicySet is
  created, selected, retrieved, or represented.  Among other
  solutions, a policy authoring and storage mechanism MAY ensure
  that there is only one applicable policy that can be retrieved
  for any given Request; or, a policy retrieval mechanism MAY
  construct a single PolicySet having a specified Policy
  Combining Algorithm dynamically from all applicable policies in
  the repository.

  If for some reason more than one Policy or PolicySet is
  applicable to a given Request at the point where the Policy or
  PolicySet instances must be evaluated by the PDP, the default
  behavior of the PDP SHALL be to return a result of
  "Indeterminate".

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692