[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: Combining algorithm combining orders
Yes, your use case is a very valid use case, but it is handled better by a PEP bias (which is part of the XACML specification). Since there are potentially multiple levels of policy combining, flipping an indeterminate to a deny at a lower level might lead to propagation of the deny to the top level, while an indeterminate could have been discarded by a definite result at a higher level. Regards, Erik Daniel Engovatov wrote: > > On Oct 23, 2008, at 1:03 AM, Erik Rissanen wrote: > >> >> However, if the permit-overrides algorithm gets to choose between a >> deny and an indeterminate, it says deny, which is not correct. The >> purpose of the permit overrides algorithm is to give priority of >> permit over deny. In this case one of the policies could not be >> evaluated correctly. It could potentially have been a permit, in >> which case the algorithm should return permit. > > I am not sure it is a question of correctness. Algorithm may be > correct - but it may, or may not be suitable to a particular use > case. I think this use case is a valid one - give Permit if anybody > explicitly said Permit, Deny in any other case, including the case > when somebody did not have enough time or information to say Permit. > Seems like a completely legitimate use case. > > I have never liked the Permit override anyway... > > Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]