[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] A question about how to evaluate a policy set
On 28 January, Satoshi Hada writes: Re: [xacml-comment] A question about how to evaluate a policy set > >> 2. The Target of PolicySet A is evaluated: result is > >> "Match". Under "First Applicable", this means that the result > >> of evaluating PolicySet R will be based entirely on the result > >> of evaluating PolicySet A. > >> 3. Policy A1 is evaluated: result is NotApplicable. > >> 4. Policy A2 is evaluated: result is NotApplicable. > >> 5. Results from Policy A1 and A2 are combined: according to > >> PermitOverrides, the result is "NotApplicable". This is the > >> result returned from evaluating PolicySet R. > > I disagree on this. > Appendix C.3 says that if (decision==NotApplicable) continue. > This means that the decision from PolicyA is "NotApplicable" then > we should evaluate PolicyB next. You are right. I should be more careful when I have not read the description of the algorithm recently! > >> There are test cases in the Compliance Test Suite that check this. > > Which one? > I've checked the IID test cases. > However, the root <PolicySet> contains multiple <Policy> tags, but no > <PolicySet> tag. I don't have any that test root <PolicySet> containing <PolicySet>s. A <PolicySet> inside a root <PolicySet> is treated exactly like a <Policy> inside a root <PolicySet>. As you mention, the IID test cases include these. > Anyway, I understand the spec does not assume Approach 1 I mentioned in my > previous mail. > However, I don't think the specification is clear enough about this issue. > In particular, Appendix C is misleading since it only says about how to > combine policies, > but not about how to combine policy sets (more exactly policies and policy > sets). A <PolicySet> is treated exactly like a <Policy> in these combining algorithms. The document does not spell this out, and it should. I suggest we add that to the errata. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC