[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Questions and Clarifications on the Concall
Hi > In the proposal that I posted last Friday, I tried to make a couple of other > distinctions: a rule does not have an applicability or target element, > whereas a policy does; and a rule has an explicit grant/deny indicator, > whereas a policy does not. sounds ok > But in yesterday's call, Simon said that in his mind a rule does have an > applicability element (a R-A-S triple, which may be a simplified version of > the predicates contained in the rule). i think the problem is that the *semantics* of the applicability element has never been clear. > mentioned above, Pierangela questioned whether there is any need for a > policy to have a combination of rules (i.e., either it is just a combination > of predicates, or it is implicitly understood that they are combined in an > OR). My problem is that I can understand what a boolean combination of policy can be. [Note: Probably mainly for AND and OR; NOT could have use as a way to specify negation in case explicit denies are not supported (but then the fact that a rule expresses a negation would not be attached to the rule, so explicit deny would be better rather than or).] However: - what it means to have a combination or *rules* is not clear to me. Rules should express permissions/denials, if i understand it well they are a more expressive and fancy form of current authorizations. - we have policies and can have combination of policies. Why would we need combinations again within a policy? Btw, in my understanding boolean combination of policies was intended to be combination of POLICY OUTCOMES, not of rules. > Finally, Simon suggested that the smallest individual unit specified > by XACML should be a policy. no, if i recall correctly Simon said the smallest ``exportable unit'' which would mean the smallest unit which you can refer to in a boolean expression. This sounds good to me. > So now I really don't understand the difference between "policy" and "rule". > How are they different? Do we need to distinguish between them? Do we need > separate syntax for them? Why not forget about rules altogether and say > that, for XACML, a logical combination of predicates, with a (possibly > simplified) applicability or target element, and with an explicit grant/deny > indicator, *is* a policy. No mention of rules whatsoever (except possibly > in the "Related Terms" section that follows the glossary). Personally i think it would be cleaner to have rules. I had always assumed a policy is a set of rules, combination operates on policy. This seems cleaner to me and just as expressive as the case where policies are boolean expressions (whose semantics instead is not completely clear to me). > Note 1) I think we still need to retain the concept of a higher-level > policy (e.g., a base policy) that specifies a logical combination of > sub-policy results. The sub-policies may be included or referenced. that is not in contrast, and seems to be in the direction, with the proposal of having policies as a set of rules and boolean expression on policies. > Note 2) I think it would be useful to include the concept of a > meta-policy that specifies a logical combination of predicates about > policy (e.g., grant/deny, or issuer, or issue date, or whatever). I > don't know how else to be able to say general things like "policies > from this authority always override policies from that authority", > or "denies always override grants", or "policies issued in the past > month always override older policies". meta-policies could be fine. it is not clear to me at what level they operate. if you support grant and deny a meta-policy could be associated with a policy, regulating how the policy should evaluate the rule in it to produce an outcome decision (which could be evaluated in a boolean expression of policy). A metapolicy could also be associated with policies which are boolean expression of policies, i guess. The metapolicy example in the mystery model proposal was confusing to me as it was referring to precedence between grants and deny and one wonders whether this could subverrt possible precedence criteria that were intended *within* a specific policy. -p
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC