OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Handling NotApplicable

On Mon, Oct 04, 2004 at 05:14:01PM -0400, Kuketayev, Argyn wrote:
> How do you handle NotApplicable?
> [...] 
> What to do with NotApplicable decision? I decided that it's bad thing
> have this, because in my case it indicates that policy wasn't found or
> something more serious. So, I log this as an error or alert. Unlike,
> "Deny" this should be dealt with.

This is a good question. In my opinion, there are three reasons why you
see a response of NotApplicable:

  1. The PDP you queried doesn't have a policy covering the request, but
     there are multiple PDPs that can be queried

  2. The PDP you queried doesn't have a policy covering the request,
     in your policies you're only explicit about a sub-set of possible
     actions, and all others are implicitly Deny cases

  3. The PDP you queried doesn't have a policy covering the request, but
     supposed to produce a real answer

The first case seems pretty straight-forward. You try one source, and if
says NotApplicable you try others, until you get an answer or you
your sources (then see 2 and 3). I'm calling this case out for full
only, since I doubt you care about this in your system.

The second case is probably the most common one. You've only written
rules to
handle a set of specific actions, but you haven't bothered cover all the
corner cases. Here, you're implicitly covering all NotApplicable
decisions by
saying they should appear to the PEP the same as Deny. If this is what
doing, then I think it's fine to take the same action on a Deny and on a
NotApplicable, since to the PEP and the application-specific logic it's
same case.

The third case is what makes this a little more tricky. If you have a
that's supposed to cover all cases, and you get back NotApplicable, then
probably found an error in the system (which is what you're getting at
above, I think). By "error in the system" I mean that there's some case
didn't consider. In practice it may be ok to treat this as a Deny, just
be safe, but you'll probably also want to track these cases, since you
to go back and figure out why the action wasn't handled and then fix
policies. It may be enough to log this event, and then act like you got
Deny, or you may want a different error that says something unexpected
happened. I think this depends on what level of detail you want to
to the PEP/Application.

Basically, in most scenarios, I think it's reasonable to assume that
and NotApplicable are basically the same to the application logic. The
difference is usually in the meta-data (eg, logging). For your
it sounds like you don't want to expose NotApplicable to the
and I think that's ok.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]