[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] policy inconsistency
Hi Koko, Once you introduce expressive conditions on access that go beyond a simple match on <subject, object, action> (SOA), inconsistency becomes more complex. Two policies may have the same SOA, and one may have an effect of "Deny" (i.e., if policy conditions are satisfied, then the result will be "Deny"), and the other may have an effect of "Permit". But if the first policy applies only between the hours of 8-10am, and the second policy applies only between the hours of 2-4pm, then they do not conflict. Another case is where the conditions in two policies overlap: from some input values, the two policies would return conflicting results, but for other input values, they would not conflict because only one would return an applicable result. Regards, Anne Koko Ga wrote On 05/01/06 10:51,: > Hi, > I'm looking into understanding the different types of policy inconsistency. Are you aware of any work on this topic? > A common case of inconsistency is when two rules have the same <subject, object, action> tuple and the rulings are conflict with each other (permit and deny). Do you know of any other examples of policy inconsistency? > > Thanks, > > koko, > > > --------------------------------- > Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]