OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] policy inconsistency

On 5/1/06, Daniel Engovatov <dengovatov@bea.com> wrote:
> Why would not it make sense?
> Consider the following scenario: one default policy permits something.  Administrator adds a temporary policy to block that - it is much nicer to add a DENY rule, then to edit away rule in the default policy.  Later this DENY  rule may be revoked.
> I do not see any semantic inconsistency in this usage: this is exactly the reason to have DENY rules and combining algorithm.  If not for this kind of rules - there would be little reason to have the DENY effect - as the effect of deny could be handled using only the NOTAPPLICABLE.
> Daniel;

you are right, in your example Admin intended to put a policy which
"overrides" the existing policy/rule.

however, i think that koko meant something else. recently, i was
talking about xacml and got a similar question from the audience. the
issue is that once you build a large set of policies and rules, there
could be unintended "collisions" or inconsistencies. combining
algorithms could produce "unexpected" results when multiple policy
sets are combined. these effects are not indeterministic, of course,
but the result of combining policy sets is not always intuitive. if
you have a lot of policies, then it would be useful to find out
inconsistent ones. in order to do that one has to define what is
exactly "inconsistent" policies.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]