[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] inconsistency in XACMl policies - avoiding rule conflicts
I don't think there could be a "formal" solution to this problem. I mean
that it's impossible to write a program which would say that your
policies are inconsistent, if they are. The reason is that if you grant
access in some place, then deny it in the other, how would such a
validator know that it was not intended?
Maybe heuristics would help. You could have written certain heuristic
rules, which would flag "possible" incosistencies. These rules would not
unambiguously identify inconsistencies, but rather signal that something
could be wrong. Moder code analyzers do this. For example in Java this
code is perfectly valid syntaxically:
Void setMe(String me){
String me=me;
}
However, any modern code editor should flag this as a "silly" statement.
Maybe it wuld be possible to do the same for XACML. So, until other
smart people are thinking about this issue, I wrote a bunch of tests to
check that my policies are correct. I execute them every time I change
policies.
I don't think that artificial constraints like "only two rules in
policies should exist" would be useful.
Thanks,
Argyn
> -----Original Message-----
> From: Jan bei GMX [mailto:herrmann_jan@gmx.de]
> Sent: Tuesday, October 12, 2004 5:21 PM
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] inconsistency in XACMl policies -
> avoiding rule conflicts
>
>
> Hi guys,
> I just followed your conversation on checking for
> inconsistency in XACML policies. I'm working on a similar
> problem at the moment. As I couldn't find any literature on
> this topic I'm quite unsure if my thoughts are correct.
> Therefor it would be very helpful if anyone could tell me if
> my conclusions are right.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]