OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] policy inconsistency

Hi Koko,

Once you introduce expressive conditions on access that go beyond a 
simple match on <subject, object, action> (SOA), inconsistency becomes 
more complex.

Two policies may have the same SOA, and one may have an effect of "Deny" 
(i.e., if policy conditions are satisfied, then the result will be 
"Deny"), and the other may have an effect of "Permit".  But if the first 
policy applies only between the hours of 8-10am, and the second policy 
applies only between the hours of 2-4pm, then they do not conflict.

Another case is where the conditions in two policies overlap: from some 
input values, the two policies would return conflicting results, but for 
other input values, they would not conflict because only one would 
return an applicable result.


Koko Ga wrote On 05/01/06 10:51,:
> Hi,
>   I'm looking into understanding the different types of policy inconsistency. Are you aware of any work on this topic? 
>   A common case of inconsistency is when two rules have the same <subject, object, action> tuple and the rulings are conflict with each other (permit and deny). Do you know of any other examples of policy inconsistency? 
>   Thanks,
>   koko, 
> ---------------------------------
> Blab-away for as little as 1/min. Make  PC-to-Phone Calls using Yahoo! Messenger with Voice.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]