[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] New issue#4-7 from "Boolean Policy resolution"
This is the final set. -Anne =================================================================== PM-5-?: Base Policy supplied as part of AuthorizationDecisionQuery Some PEPs have knowledge of the policy associated with a resource (example: a typical FileSystem knows the ACLs associated with a file or directory). To support this case, can a Base Policy or <referencedPolicy> be supplied as part of the SAML AuthorizationDecisionQuery? Possible Resolutions: Default policy: A Base Policy or <referencedPolicy> for evaluating a particular Access Request may be specified as part of the Access Request. If a PDP has no Base Policy(s), then the result of evaluating an Access Request that does not specify a Base Policy to use is NOT-APPLICABLE (=SAML INDETERMINATE). Champion: Anne =============================================================== PM-3-?: multiple Base Policies Can a PDP have more than one Base Policy? Alternative 1: A PDP MAY have multiple Base Policies, but such Base Policies SHOULD have non-overlapping <xacml:target> elements. The XACML specification does not specify the order in which multiple Base Policies are evaluated, or the result if two or more Base Policies have overlapping <xacml:target> elements. A PDP that has multiple Base Policies MUST publish its algorithm for the order in which Base Policies are evaluated and the result where two or more Base Policies have overlapping <xacml:target> elements. Alternative 2: Base Policies have restricted <target> elements that are easily compared for overlap. In this alternative, the case where base policies overlap is an ERROR. Note that the 0.8 syntax favors this alternative and allows Alternative 3. Alternative 3: There is only one Base Policy. Either it has no <target>, and applies to all Resources or it has a <target> element that specifies the set of resources which this PDP is prepared to handle and returns NOT-APPLICABLE if a resource does match that target. Champion: Anne (who supports Alternative 3) =============================================================== PM-3-?: default PDP result If no Base Policy applies to a given Access Request (i.e. all Base Policy evaluations return NOT-APPLICABLE), does the PDP return NOT-APPLICABLE (=SAML INDETERMINATE) to the PEP, or is the PDP configured with a default result to return (e.g. TRUE or FALSE)? Possible Resolution: If no Base Policy applies to a given Access Request, then the PDP returns NOT-APPLICABLE (=SAML INDETERMINATE) to the PEP. Champion: Anne =============================================================== PM-1-?: syntax for <applicablePolicyReference> If a predicate in XACML references an <xacml:applicablePolicy>, what should the syntax for this reference be? Possible Resolution: The syntax should include a URI for <xacml:applicablePolicy> and a URI for the Policy Authority trusted to issue and sign this <xacml:applicablePolicy>. The name attribute in the referenced <xacml:applicablePolicy> must match the URI in the <applicablePolicyReference>. A chain of <applicablePolicyReference> that contains a cycle has a result of ERROR. Champion: Anne ================================================================= -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC