[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Proposed semantics for operations involving INDETERMINATE
In order to prevent increased privileges due to lack of
information (problem described in previous mailing), I propose
the following semantics for various operators of particular
interest:
A. urn:oasis:names:tc:XACML:0.15i:operators:not
1) Order of evaluation: Not applicable. Only one operand
permitted.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) The evaluated operand returns TRUE
b) The evaluated operand returns FALSE
c) The evaluated operand returns INDETERMINATE
3) What result is returned:
2a) FALSE
2b) TRUE
2c) INDETERMINATE
B. urn:oasis:names:tc:XACML:0.15i:operators:or
1) Order of evaluation: not specified. Operands may be
evaluated in any order.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) One evaluated operand returns TRUE
b) All operands have been evaluated.
i) And at least one operand returned INDETERMINATE
ii) And all operands returned FALSE
3) What result is returned:
2a) TRUE
2bi) INDETERMINATE
2bii) FALSE
C. urn:oasis:names:tc:XACML:0.15i:operators:orderedOr
1) Order of evaluation: Operands MUST be evaluated in the
order specified.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) One evaluated operand returns TRUE
b) All operands have been evaluated.
i) And at least one operand returned INDETERMINATE
ii) And all operands returned FALSE
3) What result is returned:
2a) TRUE
2bi) INDETERMINATE
2bii) FALSE
D. urn:oasis:names:tc:XACML:?:rulecombiningalgorithms:denyOverrides
1) Order of evaluation: not specified. Rules may be
evaluated in any order.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) One evaluated rule returns deny
b) One evaluated rule returns indeterminate
c) All rules have been evaluated
i) And at least one rule returned PERMIT.
ii) And all rules returned notApplicable
3) What result is returned:
2a) deny
2b) indeterminate
2ci) permit
2cii) notApplicable
E. urn:oasis:names:tc:XACML:?:rulecombiningalgorithms:permitOverrides
1) Order of evaluation: not specified. Rules may be
evaluated in any order.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) One evaluated rule returns permit
b) All rules have been evaluated
i) And at least one rule returned indeterminate.
ii) And all rules returned notApplicable
3) What result is returned:
2a) permit
2bi) indeterminate
2bii) deny
F. urn:oasis:names:tc:XACML:?:policycombiningalgorithms:denyOverrides
1) Order of evaluation: not specified. Policies and
policysets may be evaluated in any order.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) One evaluated policy or policyset returns deny
b) One evaluated policy or policyset returns indeterminate
c) All policies and policysets have been evaluated
i) And at least one policy or policyset returned PERMIT.
ii) And all policies and policysets returned notApplicable
3) What result is returned:
2a) deny
2b) indeterminate
2ci) permit
2cii) notApplicable
G. urn:oasis:names:tc:XACML:?:policycombiningalgorithms:permitOverrides
1) Order of evaluation: not specified. Policies and
policysets may be evaluated in any order.
2) When does evaluation terminate: when any one of the
following conditions holds:
a) One evaluated policy or policyset returns permit
b) All policies and policysets have been evaluated
i) And at least one policy or policyset returned
indeterminate.
ii) And all policies and policysetsreturned notApplicable
3) What result is returned:
2a) permit
2bi) indeterminate
2bii) deny
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC