OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-comment] Policies vs. Rules


Hi Florian,

I agree with your issue, and I believe the TC also, in principle, agrees.

This was the primary motivation behind the development of the so-called "extended" combining algorithms that are in the current XACML 3.0 draft:
http://www.oasis-open.org/committees/download.php/31494/xacml-3.0-core-wd-09.zip

These "extended" algorithms have two significant characteristics:
  • They fill a functional gap in the original algorithms, which was that the originals did not take into account the fact that if a Policy contained a set of Rules, all of which had the same Effect, then one could apply the same logic as in the original algorithms which was for Rules only, which was to incorporate this "half-boolean" property to the combining algorithm for Rules. The same logic applies, in principle, to a Policy that contains Rules that can only evaluate to one Effect.
  • This effectively makes the Policy and Rule processing indistinguishable, which allows one to assume the point you mentioned that when using these extended algorithms, there is effectively no difference between a Policy w multiple Rules and multiple Policies w one Rule each
    Thanks,
    Rich


Florian Huonder wrote:
49be214a.1ac1f10a.3de6.5844@mx.google.com" type="cite">
Hi all,

 

I have a question about Policies and Rules.

 

I really do not see the reason to distinguish between Policy and Rule. In my
opinion, everything that you can solve with a Policy that has multiple
rules, can also be solved with multiple Policies (where each only has one
single Rule).
The only difference that I see between Rules and Policies are that they map
to different target sets. Meaning that a Rule maps to DENY or PERMIT and a
Policy to DENY, PERMIT and NOT_APPLICABLE (I left away INDETERMINATE). But I
really do not see a practical application for this difference.
Maybe you could give me a hint about what the intent is behind Policies and
Rules?

 

I heard that there is a requirement for Rules.

Could anybody tell me what the requirement for Rules is?

 

Regards,

Florian


  


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]