Eric--
Let's drill down on what is meant by "used." Let's say
that a regulation says that if ANY of three conditions (rules
A, B or C) is met, then the resource may be accessed. Let's
say that rule B is not met and (by itself) would result in a
DENY, but rule A is met and thus the overall outcome is
PERMIT. Is rule B "not used"?
I tried to avoid this ambiguity by proposing that the set
of rules collected to process a request must contain at least
one rule that refers to each of the access-related attributes
associated with the protected resource. Just because the set
of "active" rules includes one or more rules that do not
affect the decision regarding the current request by the
current user in the current environment. doesn't mean those
rules are irrelevant. At query time, relevancy is determined
by the resource attributes; which resource attributes are
required to be associated with which resources is determined
at "design time", when the policies are developed by
governance authorities.
Regarding "what the PDP does not know": an interesting
viewpoint. My understanding is that what the PDP knows is (a)
a set of policies loaded from the PAP; (b) the Request Context
provided by the Context Handler; and (c) additional subject,
resource or environmental attributes the PDP may request via
the Context Handler.
My initial thought as to how the PDP might implement the
goal of accounting for all resource attributes was for it to
request "All" resource attributes. (This is not supported in
the current spec as I read it.) My understanding (but I
certainly could be wrong) is that the PDP will identify all
Policies with a Rule that references any attribute of the
requested resource. In addition, my thought would be that the
PDP should check that all the resource's attributes are
referenced by some rule to be applied to the current request,
and if not, then issue a Deny decision, perhaps with
explanation. I do not think this checking function can be
performed by anything is the current spec. Both the gathering
of all resource attributes and the checking and Deny decision
would be a selectable option by the implementing
organization.
All this said, I repeat that what I'm looking for is any
mechanism, performed by the PDP or elsewhere, that will assure
that all resource attributes are referenced by some rule in
the set of policies applied to a decision.
I agree with your statement (as slightly amended): "The
current XACML spec simply assumes that you are operating with
the correct policies. What you are looking for is some extra
information to detect some cases where a mistake has been made
in the deployment and the policies [or the applied
resource attributes] are not correct."
Regards,
Martin