[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [schema] PDP response where no policy applies
I have the same opinion. From PDP viewpoint, I think PDP should return permit or deny as a final decision. So, this Indeterminate case would need denial decision. I think this is a "default denial policy". (I think default permit policy is too dangerous to implement but some application may need that.) It would be wise to add some reason e.g."because of indeterminate" as an advice (or as some status code). My thought is that this is NOT mandatory to implement. Anyway it is helpful when you are debugging the policy to see whether it is caused by insufficient target matching or strict access denial. (I think we had discussed this topic long time ago). If so, we need two different combination algorithms, one for rules and another for policyStatement/policySetStatment that finally returns denial. Michiharu IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Anne Anderson <Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org> n.com> cc: Subject: [xacml] [schema] PDP response where no policy applies 2002/07/27 03:23 Please respond to Anne.Anderson If absolutely none of its policies applies, then is the PDP obligated to return Indeterminate(Inapplicable)? If the PDP wants to return Deny if no policies apply, does it have to define a base policy with a DenyOverrides rule? We should spell this sort of behavior out in the spec. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC