OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] unordered versions of combining algorithms

Hi Karthik.

On Feb 20, 2006, at 11:24 AM, Karthik S wrote:
> I have a question regarding the unordered versions of certain
> combining algorithms (deny-overrides, for instance). Does the
> specification intend to leave it to the implementation with regards to
> the way in which rules/policies are fetched from the list (the sun's
> impl. does an ordered fetching even for the unordered versions).

Yes, the intention is that each implementation can decide how to  
handle the ordering. Actually, in XACML 1.0 there were only the  
unordered versions. The ordered versions were added later to give  
some guarantees to policy writers.

The original idea was that a PDP might know how best to proceed with  
evaluation based on some specific ordering. That ordering might  
follow from some performance metric (being able to evaluate one  
policy much faster than another), some aspect of caching (a cached or  
local policy can be evaluated much faster than something that has to  
be fetched from the network), etc. In practice, I don't think many  
people actually tried to take advantage of this, and so most  
evaluation proceeded in order by default (as, you note, does the  
SunXACML implementation).

Note that XACML 2.0 introduced parameters to combining algorithms.  
One use of these new parameters might be to provide data about how to  
order evaluation, although I haven't done this myself.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]