[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Public Comment
Hi Aswin, comment-form@oasis-open.org wrote: > Comment from: aswink@thedistillery.com.au > > Hello there, > > > > I have a few questions on XACML specifically on (Rule target, Condition) and how PDP finds the right policy to evaluate with the request. > > 1. What is the significance of rule target in the policy and how is it different from the policy target - My understanding of rule target is that it is a subset of policy target The Policy is evaluated only if the Policy Target evaluates to "true", so the Rules in the Policy will never be evaluated unless the Policy's Target is "true". Likewise, a Rule is evaluated only if its Target evaluates to "true", so the Condition in a Rule will be evaluated only if the Rule's Target is "true". Evaluated independently, a Rule's Target might evaluate to "true" even if the surrounding Policy's Target evaluated to "false", so the Rule Target is not a subset of the Policy's Target. You might think of the Policy's Target as a pre-condition for evaluating the Rule's Target, which is a pre-condition for evaluating the Rule's Condition. > 2. What is condition and how does it work in comparing policy with request - My understanding of Condition is that it is a set of functions that compare the attributes in request with attributes in policy and return an effect Assuming the Targets evaluated to "true", the Condition is evaluated. During evaluation of the Condition, each reference to an Attribute or AttributeSelector that is encountered is evaluated against the contents of the Request. If no matching reference is found, then the result is an empty bag. If the reference's "MustBePresent" attribute is true, and no matching reference is found, or if the function to which the reference's values are passed does not accept an empty bag, then the result of the Rule will be "Indeterminate". This is different from the semantics of a Target, where failure to find a required match always results in "NotApplicable" rather than "Indeterminate". > 3. When I try to evaluate a request with a set of policies how does PDP determine the right policy for the request (on what basis) - My understanding is it compares attributes in request and policy if so it does not comply with the concept of finding the right policy and then comparing. The PolicySets, Policys, and Rules form a tree of Boolean predicates that is being evaluated. Each node in the tree is evaluated as the tree is walked, subject to the Target semantics described above. So the "right policy" is one that is evaluated based on matching Targets. > > > I am fairly new to XACML and your help is highly appreciated. > > > > Thank you in advance > > > > Aswin Kandula Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]