Re: [xacml-comment] Query Regarding XACML Delegation Profile v1.0 (16 April, 2009)

[Amir Ali <12msccsaali@seecs.edu.pk>]

I think it should be cleared in this profile (as we are treated it a standard), that reduction MUST be or MAY be performed against policy set or policy. 

I am very thankful to you for your prompt reply.

Regards,

On Thu, Feb 12, 2015 at 5:08 AM, Steven Legg <steven.legg@viewds.com> wrote:

Hi Amir Ali,

On 12/02/2015 4:39 AM, Amir Ali wrote:

At line # 138-139, profile says that "Reduction is always performed in the context of a request R, which is being evaluated *against a policy set*." Let me know that "*Reduction*must be performed *against a policy set*" *or we can performed  reduction against a policy*". ?.

The policy set referred to in this statement is the policy set containing
the untrusted policy P, which is the policy to be reduced. The administrative
request A, generated from R and P, is evaluated against the other policies
in the policy set referred to above, i.e., the siblings of P.

Note the statement at the beginning of the Glossary:

    "For simplicity, this document uses the term policy to include the XACML
     definitions for both policy and policy set."

Thus the policy P may instead be a policy set, and the sibling policies that
authorize it may instead be policy sets.

Regards,
Steven

Best Regards,
--
AMIR ALI

--

AMIR ALI