OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: inconsistency in XACMl policies - avoiding rule conflicts

Hi guys,
I just followed your conversation on checking for inconsistency in XACML
policies. I'm working on a similar problem at the moment. As I couldn't find
any literature on this topic I'm quite unsure if my thoughts are correct.
Therefor it would be very helpful if anyone could tell me if my conclusions
are right.

I suppose that all rules to the same (Subject,Resource,Action) tupelo are
within the same policy.

If  one wants to avoid  rule conflicts (explicit permit and deny rules which
can be in conflict directly or dependant on the ResourceContent) one has to
make sure that for this policy everybody is using either the  open policy or
the close policy (=just rules of one type with exception of the default
rule). Having this situation there can't be any conflicts as all rules have
the same effect.

The Problem now is that if an administrator is just allowed to declare rules
with a fixed effect than he is restricted in what he can permit (or deny ).
My idea is now to allow the declaration of arbitrary rules. The PAP than has
to translate these rules into rules of the desired effect and combine them
with the existing rules. The combination is necessary because only by this
one can achieve that the semantic of the new rule and the old semantics are
combined. The combination can be done by modify the condition of the new
rule with the wrong effekt by not(Condition). Then  by adding this condition
to the conditions of the old ones by "and" or "or" one have reached the
transformation of a rule with oposite effect(e.g positive rule) into the
desired policy (e.g  open policy)

Do you know if such a transformation is possible for every use case?.

Having such a situation I'm wondering for which reason one would ever need
more than two rules in a policy. One default e.g. permit rule and one
negative rule. The condition for this negative rule is the union off all
existing rules for one (Subject,Resource,Action) tupelo

  Are there already any approaches to avoid conflicts in the policy? Any
good advices which artikels are dealing with the conflict problem?

 Thanks a lot for your suggestions

Greets from Munich


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]