[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: "else" is what ? Was:Re: [xacml] Generalizing on-permit-apply-second
On May 23, 2013, at 5:23 PM, Steven Legg <steven.legg@viewds.com> wrote: > > Hi Bill, > > On 24/05/2013 1:58 AM, Bill Parducci wrote: >> If there is a condition in any given PolicySet that could preclude the inclusion of any another PolicySet, it seems that there would be the possibility of conflict. I have not thought about this in depth, but it seems possible that PolicySet A could have a condition that fires excluding PolicySet B which concurrently has a condition that fires, excluding PolicySet A. > > The only way I can see that being possible is if the policy sets include > each other by reference, either directly or indirectly. Such a construction > is an error according to the XACML core. > > As children of the same policy set with the on-permit-apply-second combining > algorithm, only the first child has the power to exclude the second and/or > third child. The second and third children can't exclude each other or the > first child. > > Steven Ok. So to make sure that I am fully grasping this, the proposal is that this new mechanism only applies to PolicySets (not Policies) and that these PolicySets will have a new requirement that Policy order is required to be maintained within them. Is this correct? thanks b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]