[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] A question about how to evaluate a policy set
Anne,
Thank you for the clarification.
>> I should be more careful when I have not read the
>> description of the algorithm recently!
No, your wrong answer is not due to your careless reading, rather it's due
to
an inconsistency about the term "applicable".
In appendix C.3 (FirstApplicable),
an applicable policy means a policy such that the evaluation decision is
not NotApplicable.
On the other hand, in C.2 (OnlyOneApplicable),
an applicable policy means a policy such that the target matches the
request context.
In my personal opinion, "OnlyOneAppliable" should be renamed to
"OnlyOneMatch".
Also, Section 7.7 (PolicySetEvaluation) seems to me to use
the term for the both meanings at the same time.
Section 1.1 (non-normative) gives us the definition of "applicable policy".
I don't know what the definition mean.
It makes no sense to me.
>> A <PolicySet> is treated exactly like a <Policy> in these
>> combining algorithms.
Okay, this is what I wanted to confirm.
Thank you very much.
>> The document does not spell this out, and it should. I suggest
>> we add that to the errata.
Thanks.
Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com
Anne Anderson
<Anne.Anderson@Su To: Satoshi Hada/Japan/IBM@IBMJP
n.com> cc: XACML COMMENT <xacml-comment@lists.oasis-open.org>
Subject: Re: [xacml-comment] A question about how to evaluate a policy set
2003/01/29 00:28
Please respond to
Anne.Anderson
On 28 January, Satoshi Hada writes: Re: [xacml-comment] A question about
how to evaluate a policy set
> >> 2. The Target of PolicySet A is evaluated: result is
> >> "Match". Under "First Applicable", this means that the result
> >> of evaluating PolicySet R will be based entirely on the result
> >> of evaluating PolicySet A.
> >> 3. Policy A1 is evaluated: result is NotApplicable.
> >> 4. Policy A2 is evaluated: result is NotApplicable.
> >> 5. Results from Policy A1 and A2 are combined: according to
> >> PermitOverrides, the result is "NotApplicable". This is the
> >> result returned from evaluating PolicySet R.
>
> I disagree on this.
> Appendix C.3 says that if (decision==NotApplicable) continue.
> This means that the decision from PolicyA is "NotApplicable" then
> we should evaluate PolicyB next.
You are right. I should be more careful when I have not read the
description of the algorithm recently!
> >> There are test cases in the Compliance Test Suite that check this.
>
> Which one?
> I've checked the IID test cases.
> However, the root <PolicySet> contains multiple <Policy> tags, but no
> <PolicySet> tag.
I don't have any that test root <PolicySet> containing
<PolicySet>s. A <PolicySet> inside a root <PolicySet> is treated
exactly like a <Policy> inside a root <PolicySet>. As you
mention, the IID test cases include these.
> Anyway, I understand the spec does not assume Approach 1 I mentioned in
my
> previous mail.
> However, I don't think the specification is clear enough about this
issue.
> In particular, Appendix C is misleading since it only says about how to
> combine policies,
> but not about how to combine policy sets (more exactly policies and
policy
> sets).
A <PolicySet> is treated exactly like a <Policy> in these
combining algorithms.
The document does not spell this out, and it should. I suggest
we add that to the errata.
Anne Anderson
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC