OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] inconsistency in XACMl policies - avoiding ruleconflicts



> -----Original Message-----
> From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
> Sent: Tuesday, October 12, 2004 7:11 PM
> To: Kuketayev, Argyn
> Cc: xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] inconsistency in XACMl policies - 
> avoiding ruleconflicts
> 
> For instance, consider this policy:
> 
>   <Target>
>     <Subjects><AnySubject/></Subjects>
>     <Resources><AnyResource/></Resources>
>     <Actions><AnyAction/></Actions>
>   </Target>
> 
>   <Rule RuleId="AlwaysPermit" Effect="Permit"/>
> 
>   <Rule RuleId="AlwaysDeny" Effect="Deny"/>
> 
> Using the ordered permit overrides combining algorithm, the 
> second Rule will never be evaluated. This is still a valid 
> XACML policy, but it has some problems that can be detected.

This is doable, I agree. It's like "statement is not reachable" in my
Java code editor :)
Modern day code editors have certain code analysis capabilities. 

I'm thinking about XACML editor tool or plug-in. This sort of
"anomalies" can be detected by such a tool.

Thanks,
Argyn

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]