OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?

On Sun, 2004-10-03 at 21:53, Argyn wrote:
> >
> > It's interesting that this is in the tests at all. The "convicted felon"  
> > case is one of the connonical examples for negative rules. We're very  
> > careful in XACML not to support negative policy easily, because it has  
> > many problems. I'll be curious to hear who created this test, and what  
> > the intended behavior is.
> >
> Seth
> I'd like to know what is "negative rule" in XACML and the problems  
> associated with it.

The notion of negative rules/policies is not specific to XACML. This is
a general term to describe a particular access model.

In the example you cited, there are two ways we could ask the access
question (as described in the Description element, not as expressed in
the Rule). We could say "Anyone who has the felon attribute may not have
access" or "Anyone who doesn't have the felon attribute may have
access." These are, essentially, the same condition.

What's the problem here? Well, in a generalized open system, I may get
attributes issued to me from many locations, and it's unlikely that the
PEP/PDP knows about all those sources. And, in this case, it's
(probably) rarely in my best interest to present an attribute stating
that I'm a convicted felon. So, if I write a policy that makes decisions
based on the lack of an attribute, as opposed to the presence of an
attribute, and I can't find an exhaustive list of all attribute a given
Subject may hold, I'm in trouble.

This, in essence, is what negative policy or negative rights are all
about. A negative policy is one that makes decisions based on something
that isn't there. In a closed system where attributes comes from a known
set of sources, it's safer (though still risky) to construct these kinds
of policies. In the kinds of environments that XACML is designed to
handle, it's rarely a good idea to use negative rules. Does this help?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]