[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] D006 & D008
On 15 January, John Merrells writes: [xacml-comment] D006 & D008 > Both these tests expect a response of (Deny,ok)... but the policies > include a reference to an undefined attribute with mustbepresent set, > so I think the result should be (Indeterminate,missing-attribute). The result of the <Policy> that contains the mustbepresent missing attribute is (Indeterminate, missing-attribute), but there is another <Policy> in the <PolicySet> that results in a true Deny. According to the definition of Deny-overrides, which is the <PolicySet> combining-algorithm in th a) In the entire set of policies in the policy set, if any policy evaluates to "Deny", then the result of the policy combination SHALL be "Deny"... b) if the policy evaluation results in "Indeterminate", then the policy set SHALL evaluate to "Deny".' This seems pretty clear to me. Applying either a) or b) results in "Deny". In fact, there is no way defined by the policy-combining "Deny-overrides" algorithm for a result of "Indeterminate" to be returned, which was the intent of the designers of this algorithm. Indeterminate CAN be returned from a rule that uses the rule-combining "Deny-overrides" algorithm, but that is not the case in these two tests. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC