OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] XACML Target matching question

I suggested that to remove ambiguity you define the policies under a policy set (with a policy combining algorithm). Your question as I understood it was what happens if the root nodes are policies and they are not under a policy set. I wrote from the road without delving into the spec documents off the top of my head. Also from the top of my head, there isn’t a facility to define policy combining algorithms on root policies that are not sub nodes of a policy set. It is up to product implementers to allow multiple policies without a policy set as parent or not. Some implementers could force a policy set as root. I think David is saying that because of how the spec is written, it should be implied that the root node should be a policy set. I don’t see it spelled out but definitely agree that the root of the policy should be a policy set (for the benefit of having combining algorithms)


Doron Grinstein  CEO  BiTKOO  818-985-4700 Ext. 31 www.bitkoo.com




From: Security Developer [mailto:security.developer22@gmail.com]
Sent: Monday, July 18, 2011 10:49 AM
To: David Brossard
Cc: xacml-dev@lists.oasis-open.org
Subject: Re: [xacml-dev] XACML Target matching question


Let me explain what i understand from all the discussion.

Doron suggested that if there are multiple root policies with the same target then the default policy combining algorithm would be only one applicable.

David suggested that there is no default policy combining algorithm and it could be any policy combining algorithm defined in XACML standard.

My question is, where is this policy combining algorithm is defined. AFAIK i cannot define this policy combining algorithm in XACML because
there are two separate root policies having same target and under one PDP.

Thanks for your time.

Best Regards.

On Mon, Jul 18, 2011 at 4:33 PM, David Brossard <david.brossard@axiomatics.com> wrote:

Hi all,

Short answer:

  • Is it possible that two policies have the same target in one PDP?
    • Yes of course, it's quite possible and it makes business sense in many scenarios (see below for examples).
  • If yes then which policy is selected by the PDP?
    • It depends on the policy combining algorithm (see the spec for a definition - 2.3 Combining algorithms). Both could potentially be evaluated. See the more detailed explanation below.

In detail:

In a more formal way, if one takes the time to read through the spec (accessible here: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf), you will find interesting items.

First of all there are 3 top-level policy elements: <Rule>, <Policy> and <PolicySet>. (quoting the spec directly). The basis for an authorization decision is a policy which contains the combining algorithm for the rules. The policy set is simply a means of combining several policies into a single combined policy.

Reading further down in the XACML spec, in the Functional Requirements chapter which dictates how evaluation should proceed, section 7.15 "Authorization Decision" explains exactly how a decision should be reached whether there are multiple policies that can be matched or not:

In relation to a particular decision request, the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets. The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets.
The PDP MUST evaluate the policy set as specified in Sections 5 and 7. The PDP MUST return a response context, with one <Decision> element of value "Permit", "Deny", "Indeterminate" or "NotApplicable".
If the PDP cannot make a decision, then an "Indeterminate" <Decision> element SHALL be returned.

The paragraph above highlights one very important point: the PDP must always have a policy-combining algorithm at the very top. Any XACML 3.0 implementation should respect that. It then considers all the top policies (policy sets) as if they were within a policy set with the combining algorithm defined at the very top.

Finally, after reading through the spec, I could not see any mention of a default combining algorithm as Doron suggested it.

It is a requirement that the PDP consider all root policies as if they were children of a single policy set as described in section 7.15 but the choice of combining algorithm is down to the implementation.

Helmut is quite right in highlighting the following: "If the two policies are top level policies and there is no combining algorithm, you should get an error from your PDP". Section 7.15 stipulates that there must be a combining algorithm.

Note that choosing a PDP that forces you to use only-one-applicable has considerable limitations. Section C.9 describes its behavior: if two policies combined with only-one-applicable match an incoming request, the PDP is forced to return Indeterminate. However, this would make enterprise scenarios fail where for instance 2 policies have the same target simply because one addresses enterprise-wide requirements such as "out-of-office hours" whereas the other policy could address direct business requirements e.g. "access to sensitive information".

Being able to segregate policies on different planes (enterprise-wide policies about hours of work, geo-location, SoD, PCI-DSS on one hand and business-specific policies on the other) is one of the strengths of 100% XACML solutions and fine-grained access control. The ability to choose the combining algorithm gives you that flexibility and strength.

I hope this helps clarify the situation.


David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

2011/7/17 Doron Grinstein

Multiple policies can have the same target in the same PDP.  How their decision results are combined is determined by their parent policy-set’s policy combining algorithm. 


If there is no parent policy set (because you have configured the PDP to take multiple root policies), then the PDP will behave as though the multiple root policies were the children of a policy set with a policy combining algorithm of “only one applicable”.  (I don’t recall offhand if this is a requirement of the XACML spec or just a recommendation, you’d need to check the spec doc)


In the situation you described, if the PDP were forced to work with multiple root policies, every request would return “Indeterminate” because more than one policy is applicable and that is not acceptable under the implicit “only one applicable” policy combining algorithm.


A PDP instance must have a single root policy(set) to evaluate requests against.  If you give the PDP multiple root policies, it will behave as though it created an in-memory policy set to contain the given policies. I hope this brief explanation helps answer your question.







From: Security Developer [mailto:security.developer22@gmail.com]

Sent: Saturday, July 16, 2011 2:43 AM
To: xacml-dev@lists.oasis-open.org
Subject: [xacml-dev] XACML Target matching question


Hi All,

I have a question regarding XACML target matching.

1 - Is it possible that two policies have the same target in one PDP? suppose







Is the above case possible? if yes then which policy is selected by the PDP?

Thanks for your time.

Best Regards.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]