OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Problem with an or function

I thihk it's not quite clear from XACML 2.0 specification what string-greater should return if one of the arguments is Indeterminate.It would be logical in my view if it returns Indeterminate too.

The second qs is: What 'or' should return if the first argument is Indeterminate?

Since there is no special provision for
Indeterminate in 'or' definition, I would assume that 'or' should proceed to the next argument evaluation, but it's not what happened according to Valerie's report, so probably it's a bug in the engine that he uses?

From: "Tyson, Paul H" <PTyson@bellhelicopter.textron.com>
To: David Brossard <david.brossard@axiomatics.com>; valerie.bauche@bull.net
Cc: xacml-users@lists.oasis-open.org
Sent: Thu, January 27, 2011 9:20:30 AM
Subject: RE: [xacml-users] Problem with an or function

If Valerie is free to use XACML 3.0 syntax, David’s solution should work.  (Note that he switched to integer comparison instead of string comparison, which may or may not match the original policy intent.)


However, in XACML 2  the Condition element must be used as in the original post.  The results are still a mystery.  I think you could interpret the spec to say this Condition should return “true” if either profile1 or profile2 were “20”; however the failure of “one-and-only” would throw in an Indeterminate, which might cause the observed behavior.


Valerie, can you post the entire policy, or at least enough of the parent Rules and Policies to see where the Deny and Permit are coming from? Also, do you intend to use string-comparisons?  Note that “2” will be greater than “10” by this rule.





From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Thursday, January 27, 2011 10:46
To: valerie.bauche@bull.net
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Problem with an or function


Hi Valerie,

You need to define your original rule in a clearer way. What are you trying to achieve?

You claim profile1>10 gives Permit OR profile2>10 gives Permit.

What if profile1>10 and profile2<10? Do you also want Permit?

If you want to return Permit if at least one of the 2 statements is true regardless of what the other statement is, then create a simple rule as follows:

<xacml3:Rule RuleId="profile1-2" Effect="Permit" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
     <xacml3:Description>allow if either profile1 is greater than 10 or profile2 is greater than 10</xacml3:Description>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
                         <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="profile2" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than">
                         <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</xacml3:AttributeValue>
                         <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="profile1" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>

With the rule expressed as above using a target and 2 All Of nodes inside an Any Off node, you do not need to use conditions making the rule simpler.

If you send profile1=5 you get NotApplicable
If you send profile2=5 you get NotApplicable
If you send profile1=5 and profile2=5 you get NotApplicable
If you send profile1=15 and profile2=5 you get Permit
If you send profile1=5 and profile2=15 you get Permit
If you send profile1=15 and profile2=15 you get Permit

You can get rid of NotApplicable by using the deny-unless-permit (3.0) combining algorithm.

I hope this helps,

On Thu, Jan 27, 2011 at 5:32 PM, <valerie.bauche@bull.net> wrote:


I want to express a quite simple rule :
profile1>10 or profile2>10

Here is the corresponding XACML :

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
  <Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
      <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile1" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>
  <Apply FunctionId="urn:bxss:xacml:string-greater-than-or-equals">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
      <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:SAML:2.0:attrname-format:basic:profile2" DataType="http://www.w3.org/2001/XMLSchema#string"></SubjectAttributeDesignator>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">10</AttributeValue>

If I come with profile1=20 : the result is PERMIT
If I come with profile2=20 : the result is DENY !!!!!

I think that the following happened :
If I have profile2=20 and no profile1 at all, the function first try to evaluate the profile1 and string-one-and-only  fails because profile1 does not exists. Then the evaluation cannot be done, the whole process fails and we don't even try to evaluate the second possibility with profile2.....

Am I right ?

What could be the solution to handle such a problem ?


David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]