OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] access-permitted questions

Hi Glenn,

MaxDelegationDepth is not related to access-permitted. The specification for access-permitted is in section A.3.16 only. MaxDelegationDepth has to do with the delegation profile only.

The bound which is mentioned in A.3.16 is meant to be an implementation specified parameter to make sure that the PDP does not go into an infinite loop.

Best regards,

On 2013-12-09 17:28, GRIFFIN, GLENN (GLENN) wrote:



We are trying to understand the access-permitted function and have a few questions.


Does anyone have concrete examples (Policy, Request, Response files) using this function?


Has anyone implemented this function?


The paragraph on detecting loops is confusing with respect to the MaxDelegationDepth attribute on the Policy.  Historically it seems they both came from the Delegation Profile, but in the current Core spec there is no connection between them.  Is there supposed to be?  Is MaxDelegationDepth the limit for the number of loops?  The function definition just says “exceeds the bounds” without identifying what the bounds are or where they come from.  Is this identified anywhere?



Glenn Griffin


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]