[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] A question about how to evaluate a policy set
Anne, Thank you for the clarification. >> I should be more careful when I have not read the >> description of the algorithm recently! No, your wrong answer is not due to your careless reading, rather it's due to an inconsistency about the term "applicable". In appendix C.3 (FirstApplicable), an applicable policy means a policy such that the evaluation decision is not NotApplicable. On the other hand, in C.2 (OnlyOneApplicable), an applicable policy means a policy such that the target matches the request context. In my personal opinion, "OnlyOneAppliable" should be renamed to "OnlyOneMatch". Also, Section 7.7 (PolicySetEvaluation) seems to me to use the term for the both meanings at the same time. Section 1.1 (non-normative) gives us the definition of "applicable policy". I don't know what the definition mean. It makes no sense to me. >> A <PolicySet> is treated exactly like a <Policy> in these >> combining algorithms. Okay, this is what I wanted to confirm. Thank you very much. >> The document does not spell this out, and it should. I suggest >> we add that to the errata. Thanks. Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com Anne Anderson <Anne.Anderson@Su To: Satoshi Hada/Japan/IBM@IBMJP n.com> cc: XACML COMMENT <xacml-comment@lists.oasis-open.org> Subject: Re: [xacml-comment] A question about how to evaluate a policy set 2003/01/29 00:28 Please respond to Anne.Anderson On 28 January, Satoshi Hada writes: Re: [xacml-comment] A question about how to evaluate a policy set > >> 2. The Target of PolicySet A is evaluated: result is > >> "Match". Under "First Applicable", this means that the result > >> of evaluating PolicySet R will be based entirely on the result > >> of evaluating PolicySet A. > >> 3. Policy A1 is evaluated: result is NotApplicable. > >> 4. Policy A2 is evaluated: result is NotApplicable. > >> 5. Results from Policy A1 and A2 are combined: according to > >> PermitOverrides, the result is "NotApplicable". This is the > >> result returned from evaluating PolicySet R. > > I disagree on this. > Appendix C.3 says that if (decision==NotApplicable) continue. > This means that the decision from PolicyA is "NotApplicable" then > we should evaluate PolicyB next. You are right. I should be more careful when I have not read the description of the algorithm recently! > >> There are test cases in the Compliance Test Suite that check this. > > Which one? > I've checked the IID test cases. > However, the root <PolicySet> contains multiple <Policy> tags, but no > <PolicySet> tag. I don't have any that test root <PolicySet> containing <PolicySet>s. A <PolicySet> inside a root <PolicySet> is treated exactly like a <Policy> inside a root <PolicySet>. As you mention, the IID test cases include these. > Anyway, I understand the spec does not assume Approach 1 I mentioned in my > previous mail. > However, I don't think the specification is clear enough about this issue. > In particular, Appendix C is misleading since it only says about how to > combine policies, > but not about how to combine policy sets (more exactly policies and policy > sets). A <PolicySet> is treated exactly like a <Policy> in these combining algorithms. The document does not spell this out, and it should. I suggest we add that to the errata. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC