RE: [xacml-dev] Deny-override

[Seth Proctor <Seth.Proctor@sun.com>]

On Mon, 2005-05-23 at 12:04, Kuketayev, Argyn (Contractor) wrote:
> I think it just gives the policy writer a little more control on the
> evaluation sequence, which may impact the performance of the system.

That's the right idea. The ordered algorithm requires that the elements
be evaluated in order, while the non-ordered version makes no such
requirement. In practice, most systems I know of still evaluate in
order, but if you wanted to change the order for performance reasons (or
for any other reason), you can with the non-ordered version.

Note that it's not the policy writer that has control over re-ordering,
but the implementor of the algorithm in the PDP. Because of this, in
order to take advantage of re-ordering you need to re-implement the
algorithm based on your specific environment. This isn't generally easy,
which is why (in my opinion) you don't see this being done all that
much.

Now, with XACML 2.0, combining algorithms can have parameters, which
could be used by _policy writers_ to help make ordering decisions. Of
course, in order to use this, you need an algorithm that uses
parameters. The standard algorithms don't, so you'd need to come up with
a new algorithm anyway. Bottom line, I reccommend to most people that
they always use the ordered algorithms, unless there's a clear case
where ordering could never matter or where they actually need to
re-implement the combining algorithms.


seth