OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Generalizing on-permit-apply-second

All,

I have a suggestion to generalize the on-permit-apply-second algorithm.
The problem I see is that it's not unusual for customers to choose among policies on a "if then else"-basis. In other words, if a condition is true, choose one policy, otherwise use another policy.
The problem is that there is no combining algorithm which does that currently. Yes, we do have targets and conditions and algorithms such as first-applicable, but there is a crucial difference between "if then else" and these combining algorithms. Consider this case: 

PolicySet [first-applicable]
  Policy target foo
    -> some content A
  Policy
    -> some content B
Naively this is an attempt to write an if-then-else type of policy set. The condition is "foo". If foo is matching, then "some content A" is evaluated. However, the problem is that if "some content A" itself returns N/A, then the first-applicable combining algorithm will evaluate "some content B". So, even if the target "foo" is matching, it can turn out that "some content B" is used. This is not what "if then else" means.
There is the only-one-applicable which is closer to if-then-else, but it works only on targets, not on conditions.
The way to model a condition based if-then-else in XACML today is to use the on-permit-apply-second and invert the condition in the "else" branch. Like this: 


PolicySet [first-applicable]
  PolicySet [on-permit-apply-second]
    Policy
      Rule
        Condition foo
    PolicySet
      -> some content A (the "then" branch)
  PolicySet [on-permit-apply-second]
    Policy
      Rule
        Condition not(foo)
    PolicySet
      -> some content B (the "else" branch)
As you see, it takes a whole lot of XACML elements to do a simple if-then-else, which is a very common use case.
My proposal is to generalize the on-permit-apply-second algorithm so it can take a third policy. If there are only two children, then it behaves like in the current spec. However, if there is a third child, then the third child is applied if the first policy does not return permit. Then you can do the following: 

PolicySet [on-permit-apply-second]
  Policy
    Rule
      Condition foo
  PolicySet
      -> some content A (the "then" branch)
  PolicySet
      -> some content B (the "else" branch)
This is more compact and efficient and does not contain redundant expressions.
Let me know if you think this is a bad idea. Otherwise, I can work out the details into a new working draft of the profile. 

Best regards,
Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]