OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] A question about how to evaluate a policy set

On 28 January, Satoshi Hada writes: Re: [xacml-comment] A question about how to evaluate a policy set
 > >> 2. The Target of PolicySet A is evaluated: result is
 > >>    "Match".  Under "First Applicable", this means that the result
 > >>    of evaluating PolicySet R will be based entirely on the result
 > >>    of evaluating PolicySet A.
 > >> 3. Policy A1 is evaluated: result is NotApplicable.
 > >> 4. Policy A2 is evaluated: result is NotApplicable.
 > >> 5. Results from Policy A1 and A2 are combined: according to
 > >>    PermitOverrides, the result is "NotApplicable".  This is the
 > >>    result returned from evaluating PolicySet R.
 > 
 > I disagree on this.
 > Appendix C.3 says that if (decision==NotApplicable) continue.
 > This means that the decision from PolicyA is "NotApplicable" then
 > we should evaluate PolicyB next.

You are right.  I should be more careful when I have not read the
description of the algorithm recently!

 > >> There are test cases in the Compliance Test Suite that check this.
 > 
 > Which one?
 > I've checked the IID test cases.
 > However, the root <PolicySet> contains multiple <Policy> tags, but no
 > <PolicySet> tag.

I don't have any that test root <PolicySet> containing
<PolicySet>s.  A <PolicySet> inside a root <PolicySet> is treated
exactly like a <Policy> inside a root <PolicySet>.  As you
mention, the IID test cases include these.

 > Anyway, I understand the spec does not assume Approach 1 I mentioned in my
 > previous mail.
 > However, I don't think the specification is clear enough about this issue.
 > In particular, Appendix C is misleading since it only says about how to
 > combine policies,
 > but not about how to combine policy sets (more exactly policies and policy
 > sets).

A <PolicySet> is treated exactly like a <Policy> in these
combining algorithms.

The document does not spell this out, and it should.  I suggest
we add that to the errata.

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC