Subject: RE: [xacml-dev] XACML Target matching question
Multiple policies can have the same target in the same PDP. How their decision results are combined is determined by their parent policy-set’s policy combining algorithm.
If there is no parent policy set (because you have configured the PDP to take multiple root policies), then the PDP will behave as though the multiple root policies were the children of a policy set with a policy combining algorithm of “only one applicable”. (I don’t recall offhand if this is a requirement of the XACML spec or just a recommendation, you’d need to check the spec doc)
In the situation you described, if the PDP were forced to work with multiple root policies, every request would return “Indeterminate” because more than one policy is applicable and that is not acceptable under the implicit “only one applicable” policy combining algorithm.
A PDP instance must have a single root policy(set) to evaluate requests against. If you give the PDP multiple root policies, it will behave as though it created an in-memory policy set to contain the given policies. I hope this brief explanation helps answer your question.
Doron Grinstein │ CEO │ BiTKOO │ 818-985-4700 Ext. 31 │www.bitkoo.com
From: Security Developer [mailto:email@example.com]