[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] policy subcommittee meeting on Dec. 10 - minutes
> For instance, suppose global policy P is defined as P=P1 OR > P2. Consider a request R, and suppose that P1 has a ``permit'' for R. > Would what P2 says make a difference for the overall decision? In > other words what if P2 has a ``deny'' for R? should it be different > from the case wher P2 does not have anything for R? (if so the > composition would become much more complicated and the evaluation > process less efficient as all the policies in an expression should be > evaluated always). > > There is general consensus among the people on the concall that policy > composition should operate on the decisions of the policy, not on the > rules in it. So whether P2 could have a negative response to the > request because of the absence of a ``permit'' for it or because of a > ``deny'' for it should not make a difference. i do not understand this, can someone please give an example? i only know of two methods that address conflict resolution: * explicit precedence ('allow except' or 'deny except') * order based evaluations for access control (order yields precedence) does the above fit in with one of these or are we considering another approach? thanks b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC