OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] policy subcommittee meeting on Dec. 10 - minutes

> For instance, suppose global policy P is defined as P=P1 OR
> P2. Consider a request R, and suppose that P1 has a ``permit'' for R.
> Would what P2 says make a difference for the overall decision? In
> other words what if P2 has a ``deny'' for R? should it be different
> from the case wher P2 does not have anything for R? (if so the
> composition would become much more complicated and the evaluation
> process less efficient as all the policies in an expression should be
> evaluated always).


> There is general consensus among the people on the concall that policy
> composition should operate on the decisions of the policy, not on the
> rules in it. So whether P2 could have a negative response to the
> request because of the absence of a ``permit'' for it or because of a
> ``deny'' for it should not make a difference.

i do not understand this, can someone please give an example?

i only know of two methods that address conflict resolution:

* explicit precedence ('allow except' or 'deny except')
* order based evaluations for access control (order yields precedence)

does the above fit in with one of these or are we considering another 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC