[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] XACML 3.0 Public review 04 - Feedback from TSCP
Jean-Paul, From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Jean-Paul Buu-Sao Sent: Thursday, June 28, 2012 5:49 PM To: Hal Lockhart; xacml@lists.oasis-open.org Subject: RE: [xacml] XACML 3.0 Public review 04 - Feedback from TSCP > a) Applicability: a policy is applicable only if all conditions match (inclusive of policy-id and resource). If one policy is NotApplicable, > other policies of the policy-set must be evaluated. So you are correct to invoke the potential of a NotApplicable result. How is it possible > to denote that NotApplicable across the whole policy-set must return a Deny? From the core spec: "7.17 Authorization decision In relation to a particular decision request, the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets. The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets." So you should configure the PDP's root policy-combining algorithm to something like deny-unless-permit. Thanks, Ray
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]