[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] wd-19 indeterminate policy target handling
Hi Erik, The algorithm w proposed changes in my earlier email in "first draft form" was this: It is intended to produce the same results in every case as the current algorithm.Decision denyOverridesRuleCombiningAlgorithm(Node[] nodes) { // see 1 below Boolean atLeastOneError = false; Boolean atLeastOneErrorD = false; Boolean atLeastOneErrorP = false; Boolean atLeastOneErrorDP = false; Boolean atLeastOnePermit = false; for ( i=0; i<lengthOf(nodes); i++ ) { Decision decision = evaluate(nodes[i]); // see #2 below if (decision==Deny) { return Deny; // loop breakout (#2 below) } // the next two "if"s are the same as C.10: if (decision==Permit) { atLeastOnePermit = true; continue; // i.e. skip the rest of the logic current iteration of loop // and start next iteration } if (decision==NotApplicable) { continue; } // see #3 below if (decision==Indeterminate) { // this can only be returned for rules if ( effect((Rule)nodes[i])==Deny) ) { // cast to Rule to get effect atLeastOneErrorD = true; } else { atLeastOneErrorP = true; } continue; } // the following is same as C.2 and will evaluate the 3 types // of Indeterminate, which can only be returned for Policy and PolicySet ... same as lines 5762->5776 (not repeated here) } // end for loop if (atLeastOneErrorD==true && (atLeastOneErrorP==true || atLeastOnePermit==true) { atLeastOneErrorDP = true; } if (atLeastOneErrorDP==true) { return Indeterminate(DP); if (atLeastOneErrorD==true) { return Indeterminate(D); } if (atLeastOnePermit==true) { return Permit; } if (atLeastOneErrorP == true) { return Indeterminate(P); } return NotApplicable; } // end algorithm The differences that it embodies (that do not impact the final results) are:
w the current defns in the doc, but otherwise I am pretty sure it does the same as the current. (I will try to clean it up a bit, later today but I am bust until then) Thanks, Rich On 5/18/2011 4:01 AM, Erik Rissanen wrote: 4DD37CEB.9000706@axiomatics.com" type="cite">Rich, |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]