OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] Deny-override

I think it just gives the policy writer a little more control on the
evaluation sequence, which may impact the performance of the system.

Suppose, there's a rule R1, which is very slow to evaluate and "usually
permits", then there's a rule R2, which is "fast" and "usually denies".
In this situation it makes a sense to first try R2, then R1 for
performance reasons. That's how I understand this.


> -----Original Message-----
> From: Panayiotis Periorellis 
> [mailto:Panayiotis.Periorellis@newcastle.ac.uk] 
> Sent: Monday, May 23, 2005 12:00 PM
> To: xacml-dev@lists.oasis-open.org
> Subject: [xacml-dev] Deny-override
> I have been reading through the 2.0 specification and I came 
> across an issues which is unclear regarding the 
> deny-overrides and ordered-denyoverrides cobmining algorithms.
> The ordered-deny-overrides is speficied as :=20
> "The behavior of this algorithm is identical to that of the 
> Deny-overrides rule-combining algorithm with one exception. 
> The order in
> which the collection of rules is evaluated SHALL match the 
> order as listed in the policy."
> What is the difference from the standard deny-overrides and 
> what difference does the ordering make?
> Looking forward to your replies.
> panos
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]