Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.

["Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>]

> If you do not have an access result that says "permit", then you do not
> need to generate an administrative request. Perhaps you mean that, even
> if you get a not applicable for the access request against one policy,
> you still need to try all other policies. Yes, that is true, but all the
> administrative policies will evaluate to not applicable to an access
> request.

I am keeping seperate the Normal Access Policies and Delegation Policies 
(Whether Administrative or User Issued). So if an Access Request comes.

 -- First it will be matched against a Normal Access policy or policies.
 -- Suppose if there is "permit", ofcourse i dont need to check the 
Delegation policies then (Agreed).
-- but if result is Deny (this is important) or notApplicable, then i will 
have to look at the Delegation policies. here i think i am not getting you 
when you only mention notApplicable and leave Deny. The thing is that it is 
possible that a role is completely denied accessing an operation from Normal 
Access policies, but delegation policies allows it. Thats why, i think so in 
case of both NotApplicable and Deny, PDP will query the Delegation policies.


regards
Muhammad.