[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec
Hi Richard, Our implementation has an implicit root PolicySet with a configurable combining algorithm, which defaults to deny-overrides. Any Policy(Set) that is added and is not explicitly part of another PolicySet is implicitly
part of the root PolicySet. Thanks, Ray From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of Hill, Richard C The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML
TC list. The XACML spec states: 7.17 Authorization decision
In relation to a particular
decision request, the PDP is defined by a policy-combining algorithm
and a set of policies and/or policy sets. The
PDP SHALL return a response context as if it had evaluated a single
policy set consisting of this policy-combining algorithm
and the set of policies and/or policy sets. Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If
so, what is the policy-combining algorithm? Let me walk through a scenario: When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy
Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g.
Policy C) then it would be pulled in as part the evaluation of Policy A. In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the
sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this
combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses? - Richard Hill |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]