RE: [xacml-comment] Comment on condition element

[Anne Anderson <Anne.Anderson@Sun.com>]

On 16 December, David Sutton writes: RE: [xacml-comment] Comment on condition element
 > From: "David Sutton" <David.Sutton@cp.net>
 > > If you want a condition at the policy or policy set level,
 > > include a rule.
 > 
 > By including a rule with a condition is not the condition scope limited to
 > that rule only - not the policy or policy set? So no other rules in the set
 > would be affected by a condition in any other rule in the policy or policy
 > set.

This could be done with a new rule-combining algorithm in which
the result is NotApplicable unless the first rule is true.  Then,
one of the other rule-combining algorithms could be called into
play.  This makes the semantics clear.

If we allow Condition in a Policy, the Policy writer will not
necessarily want the Policy to return NotApplicable if the
Condition is false.  What if a policy writer wants the policy to
return Permit or Deny if the condition is false?  If we allow
Conditions in policy sets or policies, then we would need to
specify the "combining algorithm" for combining the result of the
enclosing structure's policy with the results of the set of
enclosed structures.

I would rather not complicate things unless the existing
mechanisms are inadequate.

 > Based on some recent comment I understand that the requirement that target
 > elements be indexable may have been relaxed. If this is so then it would be
 > possible to make the role requirement part of the policy target (assuming
 > for example that role membership would be a subject attribute).

That is true.  Target elements are not required to be indexable
according to any particular indexing scheme.

 > On a related secondary note I'm not clear on what is the behaviour for a
 > rule that does have a target when its enclosing policy or policy set also
 > has a target? Is the rule bounded by both the rule target and the inherited
 > target or does a rule only inherit a target when the rule has no target
 > element itself?

The Target of the outer structure acts as a filter: if it returns
False, then the inner structures are never evaluated.  The Target
on an inner structure will be applied only if the inner structure
is evaluated, so it serves only as a way of potentially narrowing
the Target of the inner structure.

Some systems may compose outer structures from sets of inner
structures (i.e. policies from a set of rules, policy sets from a
set of policies and policy sets): this is outside the scope of
XACML, since the XACML PDP will only see the final composition.
In this case, the Target of the outer structure may be computed
based on the union (or intersection) of the Targets of the inner
structures.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692