OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] group representation and combine algorithm

>Does anyone has idea how can I do it? Is there any other way to force
user-specific rules to override group rules?

I will try to answer.

In general, all the applicable rules are equal.  And all the applicable
policies are equal. Even the document order for the first applicable is
in reality implementation dependent.

One way to make them non-equal way would be to split policies on groups
and policies on individual users into separate policies. They may be
differentiated by an environment target for example (using matching rule
group_policy = true, or something to that effect), or by some
implementation dependent id. 

Then you can either roll out your own policy combining algorithm, that
first  uses user policies, or make PEP make two requests, first with
group_policy attribute (in the example above) set to false, then, if the
result is not applicable, issue a new request with it set to true.
Though that approach will move some combining logic out of XACML, which
is rather non-portable.

I would guess XACML answer to making some rules/policies more important
in some way is a new combining algorithm - that may make use of policy
combining parameters defined in the policy.

Currently there is no standard way to define a new algorithm, we may
look into this in 3.0 or at a later time frame.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]