OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-comment] Policies vs. Rules

Hi Rich


Thanks a lot for your answer.


I think I did not caught on so far.


As I understood your  answer, in XACML 2.0 there is a difference between on Policy with multiple Rules and multiple Policies with one Rule each. But I did not understand it (maybe it’s my English J).

I understood that in XACML 3.0 (when using the extended and recommended new combining algorithms) there is no difference between a Policy with multiple Rules and multiple Policies with on Rule each.

If that is true, what exactly would be the reason not to drop Rules?


I am looking forward to hearing from you.





From: Rich.Levinson [mailto:rich.levinson@oracle.com]
Sent: Montag, 16. März 2009 15:50
To: Florian Huonder
Cc: xacml-comment@lists.oasis-open.org
Subject: Re: [xacml-comment] Policies vs. Rules


Hi Florian,

I agree with your issue, and I believe the TC also, in principle, agrees.

This was the primary motivation behind the development of the so-called "extended" combining algorithms that are in the current XACML 3.0 draft:

These "extended" algorithms have two significant characteristics:

  • They fill a functional gap in the original algorithms, which was that the originals did not take into account the fact that if a Policy contained a set of Rules, all of which had the same Effect, then one could apply the same logic as in the original algorithms which was for Rules only, which was to incorporate this "half-boolean" property to the combining algorithm for Rules. The same logic applies, in principle, to a Policy that contains Rules that can only evaluate to one Effect.
  • This effectively makes the Policy and Rule processing indistinguishable, which allows one to assume the point you mentioned that when using these extended algorithms, there is effectively no difference between a Policy w multiple Rules and multiple Policies w one Rule each


Florian Huonder wrote:

Hi all,
I have a question about Policies and Rules.
I really do not see the reason to distinguish between Policy and Rule. In my
opinion, everything that you can solve with a Policy that has multiple
rules, can also be solved with multiple Policies (where each only has one
single Rule).
The only difference that I see between Rules and Policies are that they map
to different target sets. Meaning that a Rule maps to DENY or PERMIT and a
really do not see a practical application for this difference.
Maybe you could give me a hint about what the intent is behind Policies and
I heard that there is a requirement for Rules.
Could anybody tell me what the requirement for Rules is?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]