[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Questions and Clarifications on the Concall
Hi Polar,
Good questions! I have to admit that after the concall I walked away a bit more confused myself.
In our glossary, "rule" is a predicate or a logical combination of predicates, and "policy" is a set of rules (which I've always taken to be a logical combination of rules, although the glossary doesn't explicitly say so and, from what Pierangela was saying yesterday, she took it to be a simple "OR" of rules).
In the proposal that I posted last Friday, I tried to make a couple of other distinctions: a rule does not have an applicability or target element, whereas a policy does; and a rule has an explicit grant/deny indicator, whereas a policy does not.
But in yesterday's call, Simon said that in his mind a rule does have an applicability element (a R-A-S triple, which may be a simplified version of the predicates contained in the rule). Furthermore, he thinks that a policy should have a grant/deny indicator (or at least grant, for now). And, as I mentioned above, Pierangela questioned whether there is any need for a policy to have a combination of rules (i.e., either it is just a combination of predicates, or it is implicitly understood that they are combined in an OR). Finally, Simon suggested that the smallest individual unit specified by XACML should be a policy.
So now I really don't understand the difference between "policy" and "rule". How are they different? Do we need to distinguish between them? Do we need separate syntax for them? Why not forget about rules altogether and say that, for XACML, a logical combination of predicates, with a (possibly simplified) applicability or target element, and with an explicit grant/deny indicator, *is* a policy. No mention of rules whatsoever (except possibly in the "Related Terms" section that follows the glossary).
Is this acceptable, or is there an important distinction that needs to be maintained in the syntax?
Note 1) I think we still need to retain the concept of a higher-level policy (e.g., a base policy) that specifies a logical combination of sub-policy results. The sub-policies may be included or referenced.
Note 2) I think it would be useful to include the concept of a meta-policy that specifies a logical combination of predicates about policy (e.g., grant/deny, or issuer, or issue date, or whatever). I don't know how else to be able to say general things like "policies from this authority always override policies from that authority", or "denies always override grants", or "policies issued in the past month always override older policies".
Carlisle.
----------
From: Polar Humenn[SMTP:polar@syr.edu]
Sent: Monday, February 11, 2002 6:19 PM
To: 'xacml@lists.oasis-open.org'
Subject: [xacml] Questions and Clarifications on the Concall
I got the impression that we are generally scraping the notion of
combining policys and predicates alike. Is that the case?
Will we have different syntax for:
1. Combination of Predicates. (Rules?)
2. Combinations of Rules (Policies?)
3. Combinations of Policies? (Meta-Policies?)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC