[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?
On Sun, 2004-10-03 at 21:53, Argyn wrote: > > > > It's interesting that this is in the tests at all. The "convicted felon" > > case is one of the connonical examples for negative rules. We're very > > careful in XACML not to support negative policy easily, because it has > > many problems. I'll be curious to hear who created this test, and what > > the intended behavior is. > > > > Seth > > I'd like to know what is "negative rule" in XACML and the problems > associated with it. The notion of negative rules/policies is not specific to XACML. This is a general term to describe a particular access model. In the example you cited, there are two ways we could ask the access question (as described in the Description element, not as expressed in the Rule). We could say "Anyone who has the felon attribute may not have access" or "Anyone who doesn't have the felon attribute may have access." These are, essentially, the same condition. What's the problem here? Well, in a generalized open system, I may get attributes issued to me from many locations, and it's unlikely that the PEP/PDP knows about all those sources. And, in this case, it's (probably) rarely in my best interest to present an attribute stating that I'm a convicted felon. So, if I write a policy that makes decisions based on the lack of an attribute, as opposed to the presence of an attribute, and I can't find an exhaustive list of all attribute a given Subject may hold, I'm in trouble. This, in essence, is what negative policy or negative rights are all about. A negative policy is one that makes decisions based on something that isn't there. In a closed system where attributes comes from a known set of sources, it's safer (though still risky) to construct these kinds of policies. In the kinds of environments that XACML is designed to handle, it's rarely a good idea to use negative rules. Does this help? seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]