OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?

On Oct 1, 2004, at 8:59 PM, Argyn wrote:
> Here's the rule from the policy:
> <Rule  
> RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIC008:rule"  
> Effect="Permit">
>   <Description>Any subject who is not a member of the convicted-felons  
> group may perform any action on any resource.</Description>
> <Condition  
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
>   <AttributeValue  
> DataType="http://www.w3.org/2001/XMLSchema#string";>convicted-felon</ 
> AttributeValue>
>   <SubjectAttributeDesignator  
> AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:group"  
> DataType="http://www.w3.org/2001/XMLSchema#string"; />
>   </Condition>
>   </Rule>
> according to a description this should deny grants to convicted  
> felons, but looking at the rule it seems like it's doing excatly the  
> oppoiste. This rule matches group with "felon" string, then effect is  
> "Permit". Am I right or is it just Friday night? :)

You're right, the description is incorrrect. It was also Friday  
night...go home! :)

It's interesting that this is in the tests at all. The "convicted  
felon" case is one of the connonical examples for negative rules. We're  
very careful in XACML not to support negative policy easily, because it  
has many problems. I'll be curious to hear who created this test, and  
what the intended behavior is.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]