OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] D006 & D008

On 15 January, John Merrells writes: [xacml-comment] D006 & D008
 > Both these tests expect a response of (Deny,ok)... but the policies
 > include a reference to an undefined attribute with mustbepresent set,
 > so I think the result should be (Indeterminate,missing-attribute).

The result of the <Policy> that contains the mustbepresent
missing attribute is (Indeterminate, missing-attribute), but
there is another <Policy> in the <PolicySet> that results in a
true Deny.

According to the definition of Deny-overrides, which is the
<PolicySet> combining-algorithm in th

 a) In the entire set of policies in the policy set, if any
    policy evaluates to "Deny", then the result of the policy
    combination SHALL be "Deny"...
 b) if the policy evaluation results in "Indeterminate", then the
    policy set SHALL evaluate to "Deny".'

This seems pretty clear to me.  Applying either a) or b) results
in "Deny".

In fact, there is no way defined by the policy-combining
"Deny-overrides" algorithm for a result of "Indeterminate" to be
returned, which was the intent of the designers of this
algorithm.  Indeterminate CAN be returned from a rule that uses
the rule-combining "Deny-overrides" algorithm, but that is not
the case in these two tests.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC