[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

*Subject*: **Re: [xacml-comment] A question about how to evaluate a policy set**

*From*:**Satoshi Hada <SATOSHIH@jp.ibm.com>***To*: XACML COMMENT <xacml-comment@lists.oasis-open.org>*Date*: Tue, 28 Jan 2003 10:39:53 +0900

Anne, Thank you the reply. >> 1. The Target of PolicySet R is evaluated: result is "Match", so >> the remainder of PolicySet R is evaluated. Yes, Section 7.7 says so. >> 2. The Target of PolicySet A is evaluated: result is >> "Match". Under "First Applicable", this means that the result >> of evaluating PolicySet R will be based entirely on the result >> of evaluating PolicySet A. >> 3. Policy A1 is evaluated: result is NotApplicable. >> 4. Policy A2 is evaluated: result is NotApplicable. >> 5. Results from Policy A1 and A2 are combined: according to >> PermitOverrides, the result is "NotApplicable". This is the >> result returned from evaluating PolicySet R. I disagree on this. Appendix C.3 says that if (decision==NotApplicable) continue. This means that the decision from PolicyA is "NotApplicable" then we should evaluate PolicyB next. >> There are test cases in the Compliance Test Suite that check this. Which one? I've checked the IID test cases. However, the root <PolicySet> contains multiple <Policy> tags, but no <PolicySet> tag. Anyway, I understand the spec does not assume Approach 1 I mentioned in my previous mail. However, I don't think the specification is clear enough about this issue. In particular, Appendix C is misleading since it only says about how to combine policies, but not about how to combine policy sets (more exactly policies and policy sets). Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com Anne Anderson <Anne.Anderson@Su To: Satoshi Hada/Japan/IBM@IBMJP n.com> cc: XACML COMMENT <xacml-comment@lists.oasis-open.org> Subject: Re: [xacml-comment] A question about how to evaluate a policy set 2003/01/27 23:37 Please respond to Anne.Anderson Satoshi, Neither approach is really correct. For "First-applicable", you first determine, from the Target elements of the immediate PolicySets, which is the first one that is applicable (without evaluating the policies under it). You do not say whether the Target element of the immediate PolicySet is applicable. If PolicySet A is applicable, then you will do nothing with PolicySet B: the result will depend entirely on on the result of PolicySet A, even if that result is "NotApplicable". For example: <PolicySet R FirstApplicable> <Target> [Match] </Target> <PolicySet A PermitOverrides> <Target A> [Match] </Target> <Policy A1> [Not applicable] </Policy A1> <Policy A2> [Not applicable] </Policy A2> </PolicySet A> <PolicySet B PermitOverrides> <Target> [Match] </Target> <Policy B1> [Permit] </Policy B1> <Policy B2> [Permit] </Policy B2> </PolicySet B> <PolicySet R> There are test cases in the Compliance Test Suite that check this. Anne Anderson This evaluates to "NotApplicable": 1. The Target of PolicySet R is evaluated: result is "Match", so the remainder of PolicySet R is evaluated. 2. The Target of PolicySet A is evaluated: result is "Match". Under "First Applicable", this means that the result of evaluating PolicySet R will be based entirely on the result of evaluating PolicySet A. 3. Policy A1 is evaluated: result is NotApplicable. 4. Policy A2 is evaluated: result is NotApplicable. 5. Results from Policy A1 and A2 are combined: according to PermitOverrides, the result is "NotApplicable". This is the result returned from evaluating PolicySet R. On 26 January, Satoshi Hada writes: [xacml-comment] A question about how to evaluate a policy set > For example consider a policy set (the root policy set R) using the > "First-applicable" policy combining alg. > Assume that the root policy set R contains a sequence of two policy sets (A > and B). > Assume that the policy set A contains two policies (A1 and A2). > Assume that the policy set B contains two policies (B1 and B2). > > The question is how to evaluate the root policy set R. > I think there are two approaches to such an evaluation. > Please tell me which one is correct. > It seems to me Approach 1 is correct from the description in Appendix C. > Is there any description related to this question in the specification? > > ------------------------------ > Approach 1: > We first flatten out the tree of the policy set R so that we can consider > the policy set R > contains the four policies (A1, A2, B1, B2) as immediate children. > Then we evaluate the policy set R according to the algorithm described in > Appendix C. > Note that this approach IGNORES the policy combining algorithms specified > in the intermediate policy sets A and B. > > ------------------------------ > Approach 2: > We don't flatten out. > First we evaluate the policy set A to combine A1 and A2 accroding to A's > policy combining algorithm. > If A is applicable return the decision. > Otherwise evaluate the policy set B to combine B1 and B2 accroding to B's > policy combining algorithm...... > ...

**Follow-Ups**:**Re: [xacml-comment] A question about how to evaluate a policy set***From:*Anne Anderson <Anne.Anderson@Sun.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC