[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] v14 Section 8: another rule combining algorithm
We have done considerable work to ensure that policies MAY be
constructed in such a way that not all information needs to be
retrieved in order to reach a decision. This is particularly
important in a distributed scenario, where it may be relatively
expensive to retrieve rules, policies, or policy combinations
from remote sites.
To support this, I propose including the following additional
combining algorithm to Section 8 of v14:
8.2 Permit-overrides
The following is a specification for the "permit-overrides"
rule-combining algorithm. The identifier for this algorithm is
given in Section Permit-overrides rule-combining algorithm.
In the entire set of rules to be evaluated, if any of the
rules evaluates to "permit", then the rule combination is
defined to evaluate to "permit" (that is, "permit" takes
precedence, regardless of how many rules evaluate to "deny" or
"indeterminate", and causes the whole combination to return
"permit"). If all of the rules found to be applicable to the
request evaluate to "deny" or "indeterminate", then the rule
combination is defined to evaluate to "deny". If none of the
rules is found to be applicable to the request, the rule
combination returns "notApplicable".
What follows is a pseudocode representation of how the above
specification MAY be implemented. This is provided for
illustrative and explanatory purposes.
effect policy(rule[]) {
atLeastOneDenyOrIndeterminate = false;
for( i=0; i<=noOfRules; i++) {
if (rule[i] == permit) {
return(permit);
}
if (rule[i] == indeterminate) {
atLeastOneDenyOrIndeterminate = true;
}
if (rule[i] == deny) {
atLeastOneDenyOrIndeterminate = true;
}
}
if atLeastOneDenyOrIndeterminate {
return(deny);
} else {
return(notApplicable);
}
}
The following is a specification for the "permit-overrides"
policy-combining algorithm. The identifier for this algorithm is
given in Section Permit-overrides policy-combining algorithm.
In the entire set of policies to be evaluated, if any of the
policies evaluates to "permit", then the policy combination is
defined to evaluate to "permit" (that is, "permit" takes
precedence, regardless of how many policies evaluate to "deny"
or "indeterminate", and causes the whole combination to return
"permit"). If all of the policies found to be applicable to
the request evaluate to "deny" or "indeterminate", then the
policy combination is defined to evaluate to "deny". If none
of the policies is found to be applicable to the request, the
policy combination returns "notApplicable".
What follows is a pseudocode representation of how the above
specification MAY be implemented. This is provided for
illustrative and explanatory purposes.
effect policySet(policy[]) {
atLeastOneDenyOrIndeterminate = false;
for( i=0; i<=noOfPolicies; i++) {
if (policy[i] == permit) {
return(permit);
}
if (policy[i] == indeterminate) {
atLeastOneDenyOrIndeterminate = true;
}
if (policy[i] == deny) {
atLeastOneDenyOrIndeterminate = true;
}
}
if atLeastOneDenyOrIndeterminate {
return(deny);
} else {
return(notApplicable);
}
}
Obligations of the individual policies SHALL be combined as
described in Section Obligations.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC