[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

*Subject*: **Re: [xacml-comment] A question about how to evaluate a policy set**

*From*:**Anne Anderson <Anne.Anderson@Sun.com>***To*: Satoshi Hada <SATOSHIH@jp.ibm.com>*Date*: Mon, 27 Jan 2003 09:37:02 -0500 (EST)

Satoshi, Neither approach is really correct. For "First-applicable", you first determine, from the Target elements of the immediate PolicySets, which is the first one that is applicable (without evaluating the policies under it). You do not say whether the Target element of the immediate PolicySet is applicable. If PolicySet A is applicable, then you will do nothing with PolicySet B: the result will depend entirely on on the result of PolicySet A, even if that result is "NotApplicable". For example: <PolicySet R FirstApplicable> <Target> [Match] </Target> <PolicySet A PermitOverrides> <Target A> [Match] </Target> <Policy A1> [Not applicable] </Policy A1> <Policy A2> [Not applicable] </Policy A2> </PolicySet A> <PolicySet B PermitOverrides> <Target> [Match] </Target> <Policy B1> [Permit] </Policy B1> <Policy B2> [Permit] </Policy B2> </PolicySet B> <PolicySet R> There are test cases in the Compliance Test Suite that check this. Anne Anderson This evaluates to "NotApplicable": 1. The Target of PolicySet R is evaluated: result is "Match", so the remainder of PolicySet R is evaluated. 2. The Target of PolicySet A is evaluated: result is "Match". Under "First Applicable", this means that the result of evaluating PolicySet R will be based entirely on the result of evaluating PolicySet A. 3. Policy A1 is evaluated: result is NotApplicable. 4. Policy A2 is evaluated: result is NotApplicable. 5. Results from Policy A1 and A2 are combined: according to PermitOverrides, the result is "NotApplicable". This is the result returned from evaluating PolicySet R. On 26 January, Satoshi Hada writes: [xacml-comment] A question about how to evaluate a policy set > For example consider a policy set (the root policy set R) using the > "First-applicable" policy combining alg. > Assume that the root policy set R contains a sequence of two policy sets (A > and B). > Assume that the policy set A contains two policies (A1 and A2). > Assume that the policy set B contains two policies (B1 and B2). > > The question is how to evaluate the root policy set R. > I think there are two approaches to such an evaluation. > Please tell me which one is correct. > It seems to me Approach 1 is correct from the description in Appendix C. > Is there any description related to this question in the specification? > > ------------------------------ > Approach 1: > We first flatten out the tree of the policy set R so that we can consider > the policy set R > contains the four policies (A1, A2, B1, B2) as immediate children. > Then we evaluate the policy set R according to the algorithm described in > Appendix C. > Note that this approach IGNORES the policy combining algorithms specified > in the intermediate policy sets A and B. > > ------------------------------ > Approach 2: > We don't flatten out. > First we evaluate the policy set A to combine A1 and A2 accroding to A's > policy combining algorithm. > If A is applicable return the decision. > Otherwise evaluate the policy set B to combine B1 and B2 accroding to B's > policy combining algorithm...... > ...

**References**:**[xacml-comment] A question about how to evaluate a policy set***From:*Satoshi Hada <SATOSHIH@jp.ibm.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC