OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE

Title: RE: [xacml] Proposed semantics for operations involving INDETERMINATE

I suggest the following evaluation strategy.

1) The is no distinctions made for different functions - order of evaluation is determined by the implementation.

2) Rule, not matching the Subject/Resource/Action head yields NOTAPPLICABLE (UNKNOWN) result.  No evaluation is performed.

3) All attributes mentioned in a single condition must be present/computable when the rule is evaluated.  The case of ordered-OR (logically - not the internal optimization) can be handled by defining separate rules and by rule recombination algorithm.

Missing attributes or any other error condition during the rule evaluation yield UNDETERMINATE (ERROR) result for this particular rule.  I prefer "ERROR" moniker..

4) Following result recombination algorithm choices defined in the standard:

        a)ERROR precedence:  at least one rule evaluated to ERROR(UNDETERMINATE) returns ERROR.  Otherwise, DENY        override is followed.

        b)DENY precedence:  if UNDETERMINATE result is reached the evaluation is guaranteed to proceed. If at least     one DENY is present - DENY is returned.  If no deny, but at least one UNDETERMINATE - UNDETERMINATE is  returned, if at least one PERMIT - permit returned, otherwise NOTAPPLICABLE (UNKNOWN) is returned.

        c)DECISION precedence:  if DENY, of PERMIT is reached, it is returned. If no decision, if there is      UNDETERMINATE evaluation - it is returned, otherwise NOTAPPLICABLE is returned.

So the precedence of results are
        A) ERROR - DENY - PERMIT - UNKNOWN 
        B) DENY - ERROR - PERMIT - UNKNOWN
        c) DENY - PERMIT - ERROR - UNKNOWN  
        - meaning - at least one rule evaluating to a result with higher precedence, returns that decision. 
        Evaluation is guaranteed not to stop until all rules, that can yiled a result with higher precedence
        are tried (so in a case B, even if a single PERMIT is obtained, and no DENY - rules are evaluated to check if   no one yield ERROR (UNDETERMINATE), case C is our regular DENY override recombination with errors ignored: but  NOT withing the same condition (see item 3).

5) Any decision may (including ERROR/UNDERTERMINATE and UNKNOWN/NOTAPPLICABLE) may return advice.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC