Re: [xacml-comment] Public Comment

[Anne Anderson <Anne.Anderson@Sun.COM>]

Hi Aswin,

comment-form@oasis-open.org wrote:
> Comment from: aswink@thedistillery.com.au
> 
> Hello there,
> 
> 
> 
> I have a few questions on XACML specifically on (Rule target, Condition) and how PDP finds the right policy to evaluate with the request. 
> 
> 1. What is the significance of rule target in the policy and how is it different from the policy target - My understanding of rule target is that it is a subset of policy target

The Policy is evaluated only if the Policy Target evaluates to "true",
so the Rules in the Policy will never be evaluated unless the Policy's
Target is "true".  Likewise, a Rule is evaluated only if its Target
evaluates to "true", so the Condition in a Rule will be evaluated only
if the Rule's Target is "true".

Evaluated independently, a Rule's Target might evaluate to "true" even
if the surrounding Policy's Target evaluated to "false", so the Rule
Target is not a subset of the Policy's Target.  You might think of the
Policy's Target as a pre-condition for evaluating the Rule's Target,
which is a pre-condition for evaluating the Rule's Condition.

> 2. What is condition and how does it work in comparing policy with request - My understanding of Condition is that it is a set of functions that compare the attributes in request with attributes in policy and return an effect

Assuming the Targets evaluated to "true", the Condition is evaluated.
During evaluation of the Condition, each reference to an Attribute or
AttributeSelector that is encountered is evaluated against the contents
of the Request.  If no matching reference is found, then the result is
an empty bag.  If the reference's "MustBePresent" attribute is true, and
no matching reference is found, or if the function to which the
reference's values are passed does not accept an empty bag, then the
result of the Rule will be "Indeterminate".

This is different from the semantics of a Target, where failure to find
a required match always results in "NotApplicable" rather than
"Indeterminate".

> 3. When I try to evaluate a request with a set of policies how does PDP determine the right policy for the request (on what basis) - My understanding is it compares attributes in request and policy if so it does not comply with the concept of finding the right policy and then comparing.

The PolicySets, Policys, and Rules form a tree of Boolean predicates
that is being evaluated.  Each node in the tree is evaluated as the tree
is walked, subject to the Target semantics described above.  So the
"right policy" is one that is evaluated based on matching Targets.
> 
> 
> I am fairly new to XACML and your help is highly appreciated.
> 
> 
> 
> Thank you in advance
> 
> 
> 
> Aswin Kandula

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692