OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Policy for Conformance Test IIC008 issue?

> -----Original Message-----
> From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
> Sent: Monday, October 04, 2004 9:38 AM
> To: Argyn
> Cc: xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] Policy for Conformance Test IIC008 issue?
> This, in essence, is what negative policy or negative rights 
> are all about. A negative policy is one that makes decisions 
> based on something that isn't there. In a closed system where 
> attributes comes from a known set of sources, it's safer 
> (though still risky) to construct these kinds of policies. In 
> the kinds of environments that XACML is designed to handle, 
> it's rarely a good idea to use negative rules. Does this help?

Thanks for explanation. it sounds reasonable to me. 

I wasn't sure what is negative policy. I thought it has something to do
with policy "algebra". I mean things like Rule1 "can access everything
in dir a" and Rule2 "can't access anything in dir a/b". So, if I do
Rule1 + Rule2, can I access dir a/b? 

So, maybe the term "negative policy" is a little bit confusing, because
it makes you think about the "effect", not the type of condition. The
type of condition based on absence of attribute should have a better
name, e.g. "existential" condition :)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]