OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Clarification on Policy References


It depends on how your PDP resolves policy references. The XACML standard does not specify how one should implement policy references.

In the example you gave, the PDP should only "see" the root policy. Referenced policies are only meant to be accessed via a reference. With that behavior in mind, then, foo-policy only gets accessed via root-policy-set and is evaluated only once.

To be sure I'd ask the people who implemented the PDP engine you're using.

Quoting the XACML spec (line 1971 of http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf):

However, the mechanism for resolving a policy reference to the corresponding policy is outside the scope of this specification.

Note that in your example, policy references is just one issue. If the PDP does indeed see all policies regardless of whether they are being used as references or not, then how does the PDP combine them? In your case, how does the PDP combine root-policy-set with foo-policy with bar-policy? This means you want to make sure your PDP only ever handles a single policy - the root policy - as an entry point.


On Thu, Jan 31, 2013 at 12:01 PM, Asela Pathberiya <aselapathberiya@gmail.com> wrote:
Hi devs,

I have some clarification on run time behavior of a PDP with  "PolicyIdReference" and "PolicySetIdReference".  Sorry , if this is already discussed common question. But really appropriate your ideas.  

Say in a PDP you have three policies.  

root-policy-set --->  foo-policy , bar-policy 
"root-policy-set" has  "PolicyIdReference"  to "foo-policy" and "bar-policy".  When XACML request. is hit with the PDP, which is applicable with both "root-policy-set" and  "foo-policy" policies, Do PDP want to evaluate both policies?  If,  "foo-policy" would be evaluated two time?  Therefore what would be the recommended way to handle this by the PDP? 

Thanks in Advance.

David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]