Subject: RE: [xacml-users] Combining algorithms and "AND" and "OR"
> -----Original Message----- > From: firstname.lastname@example.org > [mailto:email@example.com] > Sent: Wednesday, April 13, 2005 4:17 PM > To: Anne.Anderson@Sun.COM; Kuketayev, Argyn (Contractor) > Cc: firstname.lastname@example.org > Subject: RE: [xacml-users] Combining algorithms and "AND" and "OR" > > > Does "deny-override" mean that the result of combining a set > of policies is "deny" no matter what the other policies > evaluate to (i.e. Permit, Indeterminate or NotApplicable) as > long as one policy evaluates to Deny. Yes > Or does Deny-override > apply only to those policies which evaluate to permit or > deny. No. One example: suppose there was a rule, which effects in "Deny", but due to errors returned "Indeterminate". If this result is combined with other rules returning "Permit", the combined result will be "Deny" as far as I remember. Also, deny-override has two types, one for policies and one for rules. There are significant differences between them. > A similar thought for Permit-override too! This algorithm deals with "Not applucable" and "Indeterminate" in a different way. Thanks, argyn