[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] A question about how to evaluate a policy set
S.H.>> This means that the decision from PolicyA is "NotApplicable" then
S.H.>> we should evaluate PolicyB next.
Sorry, "PolicyA" should be "PolicySetA" and "PolicyB" should be
"PolicySetB".
Please correct me if I'm wrong.
Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com
|---------+---------------------------->
| | Satoshi |
| | Hada/Japan/IBM@IB|
| | MJP |
| | |
| | 2003/01/28 10:39 |
| | |
|---------+---------------------------->
>--------------------------------------------------------------------------------------------------------------------------|
| |
| To: XACML COMMENT <xacml-comment@lists.oasis-open.org> |
| cc: |
| Subject: Re: [xacml-comment] A question about how to evaluate a policy set |
| |
| |
>--------------------------------------------------------------------------------------------------------------------------|
Anne,
Thank you the reply.
>> 1. The Target of PolicySet R is evaluated: result is "Match", so
>> the remainder of PolicySet R is evaluated.
Yes, Section 7.7 says so.
>> 2. The Target of PolicySet A is evaluated: result is
>> "Match". Under "First Applicable", this means that the result
>> of evaluating PolicySet R will be based entirely on the result
>> of evaluating PolicySet A.
>> 3. Policy A1 is evaluated: result is NotApplicable.
>> 4. Policy A2 is evaluated: result is NotApplicable.
>> 5. Results from Policy A1 and A2 are combined: according to
>> PermitOverrides, the result is "NotApplicable". This is the
>> result returned from evaluating PolicySet R.
I disagree on this.
Appendix C.3 says that if (decision==NotApplicable) continue.
This means that the decision from PolicyA is "NotApplicable" then
we should evaluate PolicyB next.
>> There are test cases in the Compliance Test Suite that check this.
Which one?
I've checked the IID test cases.
However, the root <PolicySet> contains multiple <Policy> tags, but no
<PolicySet> tag.
Anyway, I understand the spec does not assume Approach 1 I mentioned in my
previous mail.
However, I don't think the specification is clear enough about this issue.
In particular, Appendix C is misleading since it only says about how to
combine policies,
but not about how to combine policy sets (more exactly policies and policy
sets).
Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com
Anne Anderson
<Anne.Anderson@Su To: Satoshi
Hada/Japan/IBM@IBMJP
n.com> cc: XACML COMMENT
<xacml-comment@lists.oasis-open.org>
Subject: Re:
[xacml-comment] A question about how to evaluate a policy set
2003/01/27 23:37
Please respond to
Anne.Anderson
Satoshi,
Neither approach is really correct. For "First-applicable", you
first determine, from the Target elements of the immediate
PolicySets, which is the first one that is applicable (without
evaluating the policies under it). You do not say whether the
Target element of the immediate PolicySet is applicable.
If PolicySet A is applicable, then you will do nothing with
PolicySet B: the result will depend entirely on on the result of
PolicySet A, even if that result is "NotApplicable".
For example:
<PolicySet R FirstApplicable>
<Target>
[Match]
</Target>
<PolicySet A PermitOverrides>
<Target A>
[Match]
</Target>
<Policy A1>
[Not applicable]
</Policy A1>
<Policy A2>
[Not applicable]
</Policy A2>
</PolicySet A>
<PolicySet B PermitOverrides>
<Target>
[Match]
</Target>
<Policy B1>
[Permit]
</Policy B1>
<Policy B2>
[Permit]
</Policy B2>
</PolicySet B>
<PolicySet R>
There are test cases in the Compliance Test Suite that check
this.
Anne Anderson
This evaluates to "NotApplicable":
1. The Target of PolicySet R is evaluated: result is "Match", so
the remainder of PolicySet R is evaluated.
2. The Target of PolicySet A is evaluated: result is
"Match". Under "First Applicable", this means that the result
of evaluating PolicySet R will be based entirely on the result
of evaluating PolicySet A.
3. Policy A1 is evaluated: result is NotApplicable.
4. Policy A2 is evaluated: result is NotApplicable.
5. Results from Policy A1 and A2 are combined: according to
PermitOverrides, the result is "NotApplicable". This is the
result returned from evaluating PolicySet R.
On 26 January, Satoshi Hada writes: [xacml-comment] A question about how to
evaluate a policy set
> For example consider a policy set (the root policy set R) using the
> "First-applicable" policy combining alg.
> Assume that the root policy set R contains a sequence of two policy sets
(A
> and B).
> Assume that the policy set A contains two policies (A1 and A2).
> Assume that the policy set B contains two policies (B1 and B2).
>
> The question is how to evaluate the root policy set R.
> I think there are two approaches to such an evaluation.
> Please tell me which one is correct.
> It seems to me Approach 1 is correct from the description in Appendix C.
> Is there any description related to this question in the specification?
>
> ------------------------------
> Approach 1:
> We first flatten out the tree of the policy set R so that we can
consider
> the policy set R
> contains the four policies (A1, A2, B1, B2) as immediate children.
> Then we evaluate the policy set R according to the algorithm described
in
> Appendix C.
> Note that this approach IGNORES the policy combining algorithms
specified
> in the intermediate policy sets A and B.
>
> ------------------------------
> Approach 2:
> We don't flatten out.
> First we evaluate the policy set A to combine A1 and A2 accroding to A's
> policy combining algorithm.
> If A is applicable return the decision.
> Otherwise evaluate the policy set B to combine B1 and B2 accroding to
B's
> policy combining algorithm......
> ...
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC