OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] inconsistency in XACMl policies - avoiding ruleconflicts

Even the case of "this policy always gives the same answer" is not necessarily a mistake. For example, one of the reasons for policy combining is that administrators with different scopes of authority may be creating policies independently. They are not antagonists, but it may be inconvenient for then to closely coordinate their efforts. For example, one may create policies that apply to the organization as a whole, while another may create policies that apply to a single group of servers. It is easy to think of cases where the rules ovelap and in certain situations a constant output might be produced regardless of the inputs. So at best a tool could flag such cases as a possible error, just as Seth suggested.

One of the reasons for standardizing XACML is was to encourage the development of various kinds of tools for policy analysis and authoring. One useful tool of this type would be a "what if" tool, which will show what decision would be given under some set of conditions. It seems such a tool could usefully identify "constant output" cases. However, I would expect such cases to represent only a small subset of the more general case: "policy doesn't do what was intended". It is not clear to me that a tool that only detected this subset would have great benefit in practice, however interesting it might be to develop.

Hal

> -----Original Message-----
> From: Kuketayev, Argyn [mailto:argyn_kuketayev@fanniemae.com]
> Sent: Wednesday, October 13, 2004 9:23 AM
> To: xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] inconsistency in XACMl policies - avoiding
> ruleconflicts
> 
> 
> 
> 
> > -----Original Message-----
> > From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
> > Sent: Tuesday, October 12, 2004 7:11 PM
> > To: Kuketayev, Argyn
> > Cc: xacml-users@lists.oasis-open.org
> > Subject: RE: [xacml-users] inconsistency in XACMl policies - 
> > avoiding ruleconflicts
> > 
> > For instance, consider this policy:
> > 
> >   <Target>
> >     <Subjects><AnySubject/></Subjects>
> >     <Resources><AnyResource/></Resources>
> >     <Actions><AnyAction/></Actions>
> >   </Target>
> > 
> >   <Rule RuleId="AlwaysPermit" Effect="Permit"/>
> > 
> >   <Rule RuleId="AlwaysDeny" Effect="Deny"/>
> > 
> > Using the ordered permit overrides combining algorithm, the 
> > second Rule will never be evaluated. This is still a valid 
> > XACML policy, but it has some problems that can be detected.
> 
> This is doable, I agree. It's like "statement is not reachable" in my
> Java code editor :)
> Modern day code editors have certain code analysis capabilities. 
> 
> I'm thinking about XACML editor tool or plug-in. This sort of
> "anomalies" can be detected by such a tool.
> 
> Thanks,
> Argyn
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]