[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?
On Oct 1, 2004, at 8:59 PM, Argyn wrote: > Here's the rule from the policy: > > <Rule > RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIC008:rule" > Effect="Permit"> > <Description>Any subject who is not a member of the convicted-felons > group may perform any action on any resource.</Description> > <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">convicted-felon</ > AttributeValue> > <SubjectAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:group" > DataType="http://www.w3.org/2001/XMLSchema#string" /> > </Condition> > </Rule> > > according to a description this should deny grants to convicted > felons, but looking at the rule it seems like it's doing excatly the > oppoiste. This rule matches group with "felon" string, then effect is > "Permit". Am I right or is it just Friday night? :) You're right, the description is incorrrect. It was also Friday night...go home! :) It's interesting that this is in the tests at all. The "convicted felon" case is one of the connonical examples for negative rules. We're very careful in XACML not to support negative policy easily, because it has many problems. I'll be curious to hear who created this test, and what the intended behavior is. seth