[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] New issue#4-7 from "Boolean Policy resolution"
This is the final set.
-Anne
===================================================================
PM-5-?: Base Policy supplied as part of AuthorizationDecisionQuery
Some PEPs have knowledge of the policy associated with a resource
(example: a typical FileSystem knows the ACLs associated with a
file or directory). To support this case, can a Base Policy or
<referencedPolicy> be supplied as part of the SAML
AuthorizationDecisionQuery?
Possible Resolutions:
Default policy:
A Base Policy or <referencedPolicy> for evaluating a particular
Access Request may be specified as part of the Access Request.
If a PDP has no Base Policy(s), then the result of evaluating an
Access Request that does not specify a Base Policy to use is
NOT-APPLICABLE (=SAML INDETERMINATE).
Champion: Anne
===============================================================
PM-3-?: multiple Base Policies
Can a PDP have more than one Base Policy?
Alternative 1:
A PDP MAY have multiple Base Policies, but such Base Policies
SHOULD have non-overlapping <xacml:target> elements. The
XACML specification does not specify the order in which
multiple Base Policies are evaluated, or the result if two or
more Base Policies have overlapping <xacml:target> elements.
A PDP that has multiple Base Policies MUST publish its
algorithm for the order in which Base Policies are evaluated
and the result where two or more Base Policies have
overlapping <xacml:target> elements.
Alternative 2:
Base Policies have restricted <target> elements that are
easily compared for overlap. In this alternative, the case
where base policies overlap is an ERROR. Note that the 0.8
syntax favors this alternative and allows Alternative 3.
Alternative 3:
There is only one Base Policy. Either it has no <target>,
and applies to all Resources or it has a <target> element
that specifies the set of resources which this PDP is
prepared to handle and returns NOT-APPLICABLE if a resource
does match that target.
Champion: Anne (who supports Alternative 3)
===============================================================
PM-3-?: default PDP result
If no Base Policy applies to a given Access Request (i.e. all
Base Policy evaluations return NOT-APPLICABLE), does the PDP
return NOT-APPLICABLE (=SAML INDETERMINATE) to the PEP, or is the
PDP configured with a default result to return (e.g. TRUE or
FALSE)?
Possible Resolution:
If no Base Policy applies to a given Access Request, then the PDP
returns NOT-APPLICABLE (=SAML INDETERMINATE) to the PEP.
Champion: Anne
===============================================================
PM-1-?: syntax for <applicablePolicyReference>
If a predicate in XACML references an <xacml:applicablePolicy>,
what should the syntax for this reference be?
Possible Resolution:
The syntax should include a URI for <xacml:applicablePolicy> and
a URI for the Policy Authority trusted to issue and sign this
<xacml:applicablePolicy>. The name attribute in the referenced
<xacml:applicablePolicy> must match the URI in the
<applicablePolicyReference>. A chain of
<applicablePolicyReference> that contains a cycle has a result of
ERROR.
Champion: Anne
=================================================================
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC