[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] no rules or policies
I agree on this. But this whole section doesn't really make sense to me at all. Neither do the tables. What is trying to be said here? Furthermore, these sections are riddled with mistakes like Not "Match" instead of "No-match" and "None-applicable" instead of "Not-applicable". These sections should say nothing more than the policy body is evaluated according to its rule combining algorithm and the evaluation of its rules, which is specified elsewhere. The "truth" tables are wrong according to any kind of policy combining algorithm. All of the combining algorithms handle the case when there are no rules or policies. So, I suggest the following rewording of both sections and remove the tables. 7.6 Policy Evaluation The value of a policy SHALL be determined only by its contents against the access decision request. A policy's value SHALL be determined by the evaluation of the policy's target and the evaluation of its rules according to the specified rule combining algorithm. The policy's target is evaluated to determine the applicability of the policy. If the target evaluates to "Match" then value of the policy SHALL be determined by evaluation of the policy's rules according to the specified combining algorithm. If the target evaluates to "No-Match", then the value of the policy shall be "Not-Applicable". If evaluation of the target raises an "Indeterminate" the value of the policy SHALL be "Indeterminate". 7.6 Policy Set Evaluation The value of a policy set SHALL be determined by its contents against the access decision request. A policy set's value is determined by the evaluation of the policy set's target and the evaluation of its policies and policy sets according to the specified policy combining algorithm. The policy set's target is evaluated to determine the applicability of the policy set. If the target evaluates to "Match" then value of the policy set SHALL be determined by evaluation of the policy's policies and policy sets according to the specified policy combining algorithm. If the target evaluates to "No-Match", then the value of the policy set shall be "Not-Applicable". If evaluation of the target raises an "Indeterminate" the value of the policy set SHALL be "Indeterminate". Cheers, -Polar On Wed, 27 Nov 2002, Seth Proctor wrote: > > Sections 7.6 and 7.7 contain, respectively, the only text in the spec that > says what to do when a Policy has no Rules or a PolicySet has no policies. > Unfortunately, the language is a little muddled (and looks like it might be > left over from a previous version). Section 7.6 says > > "A Rules value of 'At-least-one-applicable' SHALL be used if the <Rule> > element is absent..." > > Section 7.7 says > > "A policies value of 'At-least-one-applicable' SHALL be used if there are > no contained or referenced policies or policy sets..." > > Is this supposed to imply that if the rule/policy[set] is missing, then the > result should always be the result of the at-least-one-applicable combining > algorithm, ie NotApplicable? If that's the case, I'd like to request that the > text be clarified so that it's more obvious (since the above text doesn't > really mean anything). If that's not the case, these sections need to be > expanded to explain what to return in these conditions. > > As a side note, I don't really understand what the value is of having a Policy > with no Rule, since it will always return the same thing (probably N/A), so > why bother going through the effort of evaluating it? In other words, what > is the reason for the schema defining PolicyType to have > > <xs:element ref="xacml:Rule" minOccurs="0" ... > > > seth > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC