[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Multiple obligations
Hi all, The "proper" way to fix this would be to explicitly include obligation processing in each combining algorithm, rather than having it on the side in a different section, saying that obligations from any policy "which is evaluated" is included. In my opinion it would be worth fixing this. Best regards, Erik On 2011-06-06 14:59, rich levinson wrote: > Hi Ray/TC, > > I agree, I don't like it either, which is why I wanted to state it > explicitly so > we all know what the current behavior implies, at least based on my > reading of the text to date. > > My statement was that is how I understand the current operation > to be, although it is not clearly and unambiguously stated in the text. > > However, I am not sure what other option might be inferred from the > text, although your suggestion sounds like a reasonable alternative, if > we were to explicitly state it that way. > > In any event, once the current behavior is clarified, then whatever > it is can be considered the default option, and for 3.0, at least, if > devs > want to offer other options then they can be custom w combiner > parameters, which is what would be explained in the implementers/ > policy designers guide - explained so designers would know what to > look for and devs would know what to implement. > > Thanks, > Rich > > > On 6/6/2011 5:27 AM, remon.sinnema@emc.com wrote: >> All, >> >> >>> -----Original Message----- >>> From: rich levinson [mailto:rich.levinson@oracle.com] >>> Sent: Friday, June 03, 2011 12:52 AM >>> To: xacml >>> Subject: [xacml] Minutes for 2 June 2011 TC Meeting >> [...] >> >>> Obligations/Advice combining ambiguities. (dependent on final >>> version of combining algorithms) >>> http://lists.oasis-open.org/archives/xacml/201105/msg00094.html >>> >>> rich: working assumption is that in deny-overrides that if there >>> are multiple permit rules then all the applicable permits >>> add their obligations to the response if decision is permit, >>> as opposed to the deny decision, where only one rule's obls >>> are returned. >>> >> I'm not sure I like this. First of all, this means there is an >> asymmetry between the permit and deny cases, as noted on the call. >> Secondly, this assumption rules out the following performance >> improvement: For deny-overrides, once an applicable permit rule has >> been found, other permit rules don't need to be evaluated, since they >> can never change the decision. >> >> Thanks, >> Ray >> > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]