[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] unordered versions of combining algorithms
Hi Karthik. On Feb 20, 2006, at 11:24 AM, Karthik S wrote: > I have a question regarding the unordered versions of certain > combining algorithms (deny-overrides, for instance). Does the > specification intend to leave it to the implementation with regards to > the way in which rules/policies are fetched from the list (the sun's > impl. does an ordered fetching even for the unordered versions). Yes, the intention is that each implementation can decide how to handle the ordering. Actually, in XACML 1.0 there were only the unordered versions. The ordered versions were added later to give some guarantees to policy writers. The original idea was that a PDP might know how best to proceed with evaluation based on some specific ordering. That ordering might follow from some performance metric (being able to evaluate one policy much faster than another), some aspect of caching (a cached or local policy can be evaluated much faster than something that has to be fetched from the network), etc. In practice, I don't think many people actually tried to take advantage of this, and so most evaluation proceeded in order by default (as, you note, does the SunXACML implementation). Note that XACML 2.0 introduced parameters to combining algorithms. One use of these new parameters might be to provide data about how to order evaluation, although I haven't done this myself. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]