[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] policy subcommittee meeting on Dec. 10 - minutes
> For instance, suppose global policy P is defined as P=P1 OR
> P2. Consider a request R, and suppose that P1 has a ``permit'' for R.
> Would what P2 says make a difference for the overall decision? In
> other words what if P2 has a ``deny'' for R? should it be different
> from the case wher P2 does not have anything for R? (if so the
> composition would become much more complicated and the evaluation
> process less efficient as all the policies in an expression should be
> evaluated always).
>
> There is general consensus among the people on the concall that policy
> composition should operate on the decisions of the policy, not on the
> rules in it. So whether P2 could have a negative response to the
> request because of the absence of a ``permit'' for it or because of a
> ``deny'' for it should not make a difference.
i do not understand this, can someone please give an example?
i only know of two methods that address conflict resolution:
* explicit precedence ('allow except' or 'deny except')
* order based evaluations for access control (order yields precedence)
does the above fit in with one of these or are we considering another
approach?
thanks
b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC