OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Combining algorithms and "AND" and "OR"

Srinivas,

Informally, deny-overrides returns "deny" unless all policies evaluate
to "permit" or "not-applicable".  permit-overrides returns "permit" if
at least one policy evaluates to "permit" (unless a policy is
encountered prior to any "permit" that evaluates to "deny").  But read
the spec for the full description.

Anne

srinivas.sridhara@nokia.com wrote:
> Does "deny-override" mean that the result of combining a set of policies is "deny" no matter what the other policies evaluate to (i.e. Permit, Indeterminate or NotApplicable) as long as one policy evaluates to Deny. Or does Deny-override apply only to those policies which evaluate to permit or deny. A similar thought for Permit-override too!
> 
> Srinivas
> 
> 
>>-----Original Message-----
>>From: ext Anne Anderson [mailto:Anne.Anderson@Sun.COM]
>>Sent: Wednesday, April 13, 2005 2:44 PM
>>To: Kuketayev, Argyn (Contractor)
>>Cc: xacml-users@lists.oasis-open.org
>>Subject: Re: [xacml-users] Combining algorithms and "AND" and "OR"
>>
>>
>>They are roughly equivalent, but not completely.  They differ from
>>Boolean AND and OR in operating on 4 values - "Permit", "Deny",
>>"NotApplicable", and "Indeterminate" - rather than on 2 ("True",
>>"False").  If "Permit" is treated as equivalent to "True", 
>>and "Deny" is
>>treated as equivalent to "False", and if none of the rules or policies
>>returns "NotApplicable" or "Indeterminate", then I believe they are
>>equivalent.
>>
>>Anne
>>
>>Kuketayev, Argyn (Contractor) wrote:
>>
>>>Can I say that "deny-overrides" is equal to multiplication ("AND"
>>>operator) of results of each rule or policy? Subsequently,
>>>"permit-overrides" is "OR" operator?
>>>
>>>Thanks,
>>>Argyn
>>
>>-- 
>>Anne H. Anderson             Email: Anne.Anderson@Sun.COM
>>Sun Microsystems Laboratories
>>1 Network Drive,UBUR02-311     Tel: 781/442-0928
>>Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>>
> 
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]