From: Florian Huonder
Sent: Tuesday, March 17, 2009
Subject: RE: [xacml-comment]
Policies vs. Rules
Thanks a lot for
I think I did not
caught on so far.
As I understood
your answer, in XACML 2.0 there is a difference between on Policy with
multiple Rules and multiple Policies with one Rule each. But I did not
understand it (maybe it's my English J).
I understood that in
XACML 3.0 (when using the extended and recommended new combining algorithms)
there is no difference between a Policy with multiple Rules and multiple
Policies with on Rule each.
If that is true,
what exactly would be the reason not to drop Rules?
I am looking forward
to hearing from you.
Sent: Montag, 16. März 2009 15:50
To: Florian Huonder
Subject: Re: [xacml-comment]
Policies vs. Rules
I agree with your issue, and I believe the TC also, in principle, agrees.
This was the primary motivation behind the development of the so-called
"extended" combining algorithms that are in the current XACML 3.0
These "extended" algorithms have two significant characteristics:
- They fill a functional gap in the
original algorithms, which was that the originals did not take into account
the fact that if a Policy contained a set of Rules, all of which had the
same Effect, then one could apply the same logic as in the original
algorithms which was for Rules only, which was to incorporate this
"half-boolean" property to the combining algorithm for Rules.
The same logic applies, in principle, to a Policy that contains Rules that
can only evaluate to one Effect.
- This effectively makes the Policy and
Rule processing indistinguishable, which allows one to assume the point
you mentioned that when using these extended algorithms, there is
effectively no difference between a Policy w multiple Rules and multiple
Policies w one Rule each
Florian Huonder wrote:
I have a question about Policies and Rules.
I really do not see the reason to distinguish between Policy and Rule. In my
opinion, everything that you can solve with a Policy that has multiple
rules, can also be solved with multiple Policies (where each only has one
The only difference that I see between Rules and Policies are that they map
to different target sets. Meaning that a Rule maps to DENY or PERMIT and a
Policy to DENY, PERMIT and NOT_APPLICABLE (I left away INDETERMINATE). But I
really do not see a practical application for this difference.
Maybe you could give me a hint about what the intent is behind Policies and
I heard that there is a requirement for Rules.
Could anybody tell me what the requirement for Rules is?