Re: [xacml] Discussion summary and revised post-condition proposal

[Polar Humenn <polar@syr.edu>]

Let us see get a litte (but not much) more concrete with what you expect
to happen with this example that composes two policies.

Policy C is a composition of two policies, A and B with a combinator that
must says that A and B must both Permit in order to grant access.

Policy-A is:
<policy>
    <rules leading to either Permit, Deny, or Indeterminate)
    <onPermit>
       p1,...pm
    </onPermit>
    </onDeny>
       q1,...,qn
    </onDeny>
</policy>

Policy-B is:
<policy>
    <rules leading to either Permit, Deny, or Indeterminate)
    <onPermit>
       r1,...ro
    </onPermit>
    </onDeny>
       s1,...,su
    </onDeny>
</policy>

How do we evaluate Policy C, which is:

<policy>
  <All-must-permit>
        Policy-A
        Policy-B
  </all-must-permit>
  <onPermit>
    d1,...,dv
  </onPermit>
  <onDeny>
    e1,...,ew
  </onDeny>
</policy>

Just so I don't go emumerating all the various evaluation scenarios, let
me see where people are thinking.

But first, before you leap, I think it's important that in order to be
consitent in what you want, at the very least, no matter how you evaluate
the parts of Policy C, you should hope to get the same answer.

What would the above policy C evaluate to if the following:

Policy A      Policy B     Policy C
------------------------------------
Permit        Permit
Permit        Deny
Permit        Indeterminate
Deny          Permit
Deny          Deny
Deny          Indeterminate
Indeterminate Permit
Indeterminate Deny
Indeterminate Indeterminate

Policy C's column should contain something of the form:

       ? with obligations ________

What does column "Policy C" look like?

Cheers,
-Polar


On Thu, 21 Feb 2002, bill parducci wrote:

> > I have some questions on the post conditions w.r.t compose the policies,
> > especially with the GRANT/DENY semantics that MUST be performed by the PEP
> > in the "provided that" clause, which Michiharu-san lays out below.
> >
> > What should the PDP result be if the PDP cannot determine that the PEP can
> > fulfill the "provisions" on a policy? Say a policy evaluates to "Permit
> > provided that p1,...,pn" which, according to the semantics in the summary
> > below a PEP that could not fulfill any of p1,...,pn would change this
> > result to "Deny". This "change" is performed by the PEP. However, what if
> > we have two policies, each with provisions that are composed by the PDP.
> >
> > If policy A is composed with another policy B, the PDP must know exactly
> > what the PEP can enforce, because according to the operational semantics
> > outlined below, the PEP can "change" the policy A evaluation from "Permit"
> > to "Deny", which may effect the out come of the composition of Policy A and
> > B, say if the combinator were to mean "all policies MUST Permit".
>
>
> the term 'MUST' should no longer be in the definition. the solution that
> we have come up with is that the PDP is unconcerned with the PEPs
> ability to perform obilgations/provisions/post-conditions (we need to
> decide on what to call these buggers!) therefore, the PDP consults
> obligations after reaching a resolution on the request, and only then to
> provide the obligations upon with the decision is provided.
>
> i think that this slipped by:
>
> /*
> One of the problems with the term 'post-condition' is that it
> technically refers to the *state* of something after an event, not
> something that must be done.
> */
>
> i believe that the appropriate phrase is: 'something that IS EXPECTED TO
> be done.'
>
>
> > Also another question:
> >
> > It seems that the "provisions" are stated on "onTrue" "onFalse", lets say
> > in our current proposal from Simon that we are really talking about
> > "onPermit"  or "onDeny".
> >
> > This means that a policy either evaluates to
> >
> > 1. Permit provided that p1,...pn
> > 2. Deny provided that q1,...,qm
> >
> > Let us say we have a policy with BOTH "onPermit" and "onDeny" provisions.
> >
> > If #1 is the case, and the PEP cannot fulfill one of p1,...,pn, then does
> > the PEP need to fulfill q1,...,qm?
>
>
> following from above, this reads:
>
> 1. Permit with obligation p1,...pn
>
> 2. Deny with obligation q1,...qn
>
>
> > What does "Deny with ERROR that may need to be handled by the PEP or ERROR
>
> > output to the PEP administration" really mean?
>
>
> this situation arises when you have 'DENY with obligation' and the
> obligation cannot be met (you obviously can't allow :o) this is handled
> by any 'unfulfillable obligation' generating an ERROR on the PEP (which
> results in an effective DENY, but with the notation of incomplete
> process). that is my understanding.
>
> example:
>
> PEP: request for access to X by Y
> PDP: deny, if existing session  for Y
> (yeah, i know, it can be written better using allow :o)
> PEP: don't understand 'another session'
> PEP: access denied
> PEP: error
>
> b
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>