OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?


I probably created it.  And it was probably a Friday night a long
time ago :-) The intended behavior is probably what the
description says, and the test does not implement it correctly.

Anne

On 3 October, Seth Proctor writes: Re: [xacml-users] Policy for Conformance Test IIC008 issue?
 > From: Seth Proctor <Seth.Proctor@Sun.COM>
 > To: Argyn <argyn@cox.net>
 > Cc: xacml-users@lists.oasis-open.org
 > Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?
 > Date: Sun, 03 Oct 2004 20:41:32 -0400
 > 
 > 
 > On Oct 1, 2004, at 8:59 PM, Argyn wrote:
 > > Here's the rule from the policy:
 > >
 > > <Rule  
 > > RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIC008:rule"  
 > > Effect="Permit">
 > >   <Description>Any subject who is not a member of the convicted-felons  
 > > group may perform any action on any resource.</Description>
 > > <Condition  
 > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
 > >   <AttributeValue  
 > > DataType="http://www.w3.org/2001/XMLSchema#string";>convicted-felon</ 
 > > AttributeValue>
 > >   <SubjectAttributeDesignator  
 > > AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:group"  
 > > DataType="http://www.w3.org/2001/XMLSchema#string"; />
 > >   </Condition>
 > >   </Rule>
 > >
 > > according to a description this should deny grants to convicted  
 > > felons, but looking at the rule it seems like it's doing excatly the  
 > > oppoiste. This rule matches group with "felon" string, then effect is  
 > > "Permit". Am I right or is it just Friday night? :)
 > 
 > You're right, the description is incorrrect. It was also Friday  
 > night...go home! :)
 > 
 > It's interesting that this is in the tests at all. The "convicted  
 > felon" case is one of the connonical examples for negative rules. We're  
 > very careful in XACML not to support negative policy easily, because it  
 > has many problems. I'll be curious to hear who created this test, and  
 > what the intended behavior is.
 > 
 > 
 > seth
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]