OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] group representation and combine algorithm

Thanks for your answer

Assume I have several rules to a resource and one of them with effect=DENY. 

Since my policy is first-applicable, if I want to have deny-override
behavior, I need to order the rules and put the deny rule as the first one.

It means in order to support groups I must write first-applicable policy
instead of deny-override.

Is there any workaround for it?


On Oct 31, 2005, at 2:02 PM, Yair Sade wrote:
> [...]
> I want that specific rules that apply to specific user override the  
> group
> rules. I can achieve that by ordering the specific subject rules  
> before
> any-user rules and use first-applicable combining algorithm.
> However I want my rules to be handled in deny-override algorithm which
> contradicts the group handling algorithm.

If you use first-applicable, and then have a "fall through" Rule at  
the end which always denies, does that get you what you need?

   <Policy alg="first-applicable">
     <Rule Effect="Permit">
       [Applicable to user]
     <Rule Effect="Permit">
       [Applicable to group]
     <Rule Effect="Deny"/>

Unless you've got something more complex than what I'm thinking about  
(which is entirely likely <g>) I think this should act like deny- 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]