[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?
Argyn, I looked up the actual description of what is being tested here (in the html file describing all tests). The description in the policy itself is incorrect. But the test is testing for correct handling of an empty bag passed to a function. There is no "convicted-felon" attribute in the corresponding Request, so the bag will be empty, and the result is NotApplicable. Anne On 1 October, Argyn writes: [xacml-users] Policy for Conformance Test IIC008 issue? > From: Argyn <argyn@cox.net> > To: xacml-users@lists.oasis-open.org > Subject: [xacml-users] Policy for Conformance Test IIC008 issue? > Date: Fri, 01 Oct 2004 20:59:16 -0400 > > Here's the rule from the policy: > > <Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIC008:rule" > Effect="Permit"> > <Description>Any subject who is not a member of the convicted-felons > group may perform any action on any resource.</Description> > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">convicted-felon</AttributeValue> > <SubjectAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:group" > DataType="http://www.w3.org/2001/XMLSchema#string" /> > </Condition> > </Rule> > > according to a description this should deny grants to convicted felons, > but looking at the rule it seems like it's doing excatly the oppoiste. > This rule matches group with "felon" string, then effect is "Permit". Am I > right or is it just Friday night? :) > > thanks > Argyn -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]