OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

# xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml-comment] A question about how to evaluate a policy set

• To: XACML COMMENT <xacml-comment@lists.oasis-open.org>
• Date: Sun, 26 Jan 2003 13:01:54 +0900

```Hi,

I have a question about how to evaluate a policy set.

Appendix C describes how to combine a sequence of policies.
However, it's unclear to me how to combine a sequence of policy SETs (e.g.,
a sequence of two policy sets).

------------------------------
Question:

For example consider a policy set (the root policy set R) using the
"First-applicable" policy combining alg.
Assume that the root policy set R contains a sequence of two policy sets (A
and B).
Assume that the policy set A contains two policies (A1 and A2).
Assume that the policy set B contains two policies (B1 and B2).

The question is how to evaluate the root policy set R.
I think there are two approaches to such an evaluation.
Please tell me which one is correct.
It seems to me Approach 1 is correct from the description in Appendix C.
Is there any description related to this question in the specification?

------------------------------
Approach 1:
We first flatten out the tree of the policy set R so that we can consider
the policy set R
contains the four policies (A1, A2, B1, B2) as immediate children.
Then we evaluate the policy set R according to the algorithm described in
Appendix C.
Note that this approach IGNORES the policy combining algorithms specified
in the intermediate policy sets A and B.

------------------------------
Approach 2:
We don't flatten out.
First we evaluate the policy set A to combine A1 and A2 accroding to A's
policy combining algorithm.
If A is applicable return the decision.
Otherwise evaluate the policy set B to combine B1 and B2 accroding to B's
policy combining algorithm......
...

------------------------------