[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: Combining algorithm combining orders
Alternatively, if you don't like the PEP bias concept, you can have final top level of combining in the PDP where you convert any indeterminate to deny by means of a deny overrides algorithm. But the permit overrides algorithm in itself should not have this bias. It's a tool for policy writers, which should be applicable to multiple use cases, depending on how it is used. Regards, Erik Daniel Engovatov wrote: > I actually believe that PEP bias is a bad idea in general. PEP > should be regarded as untrusted. > > How would deny be propagated to a higher level if this is a Permit > override? > > I guess we should possibly add another version of that algorithm, but > I do not think that the current one is erroneous. > > Daniel. > > On Oct 23, 2008, at 1:16 AM, Erik Rissanen wrote: > >> Yes, your use case is a very valid use case, but it is handled better >> by a PEP bias (which is part of the XACML specification). Since there >> are potentially multiple levels of policy combining, flipping an >> indeterminate to a deny at a lower level might lead to propagation of >> the deny to the top level, while an indeterminate could have been >> discarded by a definite result at a higher level. >> >> Regards, >> Erik >> >> Daniel Engovatov wrote: >>> >>> On Oct 23, 2008, at 1:03 AM, Erik Rissanen wrote: >>> >>>> >>>> However, if the permit-overrides algorithm gets to choose between a >>>> deny and an indeterminate, it says deny, which is not correct. The >>>> purpose of the permit overrides algorithm is to give priority of >>>> permit over deny. In this case one of the policies could not be >>>> evaluated correctly. It could potentially have been a permit, in >>>> which case the algorithm should return permit. >>> >>> I am not sure it is a question of correctness. Algorithm may be >>> correct - but it may, or may not be suitable to a particular use >>> case. I think this use case is a valid one - give Permit if >>> anybody explicitly said Permit, Deny in any other case, including >>> the case when somebody did not have enough time or information to >>> say Permit. Seems like a completely legitimate use case. >>> >>> I have never liked the Permit override anyway... >>> >>> Daniel; >> >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]