[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Deny-override
I think it just gives the policy writer a little more control on the evaluation sequence, which may impact the performance of the system. Suppose, there's a rule R1, which is very slow to evaluate and "usually permits", then there's a rule R2, which is "fast" and "usually denies". In this situation it makes a sense to first try R2, then R1 for performance reasons. That's how I understand this. Thanks argyn > -----Original Message----- > From: Panayiotis Periorellis > [mailto:Panayiotis.Periorellis@newcastle.ac.uk] > Sent: Monday, May 23, 2005 12:00 PM > To: xacml-dev@lists.oasis-open.org > Subject: [xacml-dev] Deny-override > > > I have been reading through the 2.0 specification and I came > across an issues which is unclear regarding the > deny-overrides and ordered-denyoverrides cobmining algorithms. > > The ordered-deny-overrides is speficied as :=20 > > "The behavior of this algorithm is identical to that of the > Deny-overrides rule-combining algorithm with one exception. > The order in > which the collection of rules is evaluated SHALL match the > order as listed in the policy." > > What is the difference from the standard deny-overrides and > what difference does the ordering make? > > Looking forward to your replies. > > panos > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]