Re: [xacml] Permit-Overrides PolicyCombiningAlg

[Argyn <jawabean@gmail.com>]

On 4/19/06, Anne Anderson <Anne.Anderson@sun.com> wrote:
> According to XACML 2.0 Appendix C.3 Permit-overrides, if the set of
> policy values being combined consists of Indeterminates and Denies, then
> the result is Deny.
>

it's a little different in rule comb algorithm. i think the difference
stems from the fact that the rule has an effect, while policy doesn't
have an effect.

in rule comb alg, if there was a rule with Permit effect, which
evaluated to Indeterminate, then the combining result would be
Indeterminate when no other Permits. in policy comb alg, there's no
notion of a policy effect. therefore, if everything's Indetermiate and
one Deny, then the whole thing's Deny.

argyn