[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm
If we add that, we should probably add the analogous "Default-permit"
algorithm as well to keep it semmetric.
As for the First Applicable, the last rule can be written to handle any
default. (Convenient, eh? :)
-Polar
On Thu, 22 Aug 2002, Anne Anderson wrote:
> Add normative, mandatory-to-implement Default-deny policy
> combination algorithm.
>
> Text to be added as new section in Appendix C.
>
> The following specification defines the "Default Deny" policy
> combining algorithm of a policy set.
>
> In the entire set of policies to be evaluated, if any policy
> evaluates to Deny, then the result of the policy combination
> shall be Deny. In other words, Deny takes precedence,
> regardless of the result of evaluating any of the other
> policies in the combination. If all policies are found not to
> be applicable to the request, the policy combination returns
> Deny. If there is any error evaluating the target of a
> policy, or a reference to a policy is considered invalid, or
> the policy evaluation results in Indeterminate, then the
> result of the combination shall be Deny.
>
> The following pseudo code represents the evaluation strategy of
> this policy-combining algorithm.
>
> Decision defaultDenyPolicyCombiningAlgorithm(Policy policies[])
> {
> Boolean atLeastOnePermit = false;
> for ( i=0 ; i < lengthOf(policies) ; i++ )
> {
> Decision decision = evaluate(policies[i]);
> if (decision == Deny)
> {
> return Deny;
> }
> if (decision == Permit)
> {
> atLeastOnePermit = true;
> continue;
> }
> if (decision == NotApplicable)
> {
> continue;
> }
> if (decision == Indeterminate)
> {
> return Deny;
> }
> }
> if (atLeastOnePermit)
> {
> return Permit;
> }
> return NotApplicable;
> }
>
> Obligations of the individual policies shall be combined as
> described in Section "Obligations."
>
> Rationale:
>
> [The Bill Parducci Memorial Combination Algorithm] At the top
> level, a PDP may want to return Deny where Deny-Overrides
> would have returned NotApplicable. In other words, the PDP
> will return Deny unless the request is explicitly permitted
> and not explicitly denied.
>
> This combination algorithm may be used with underlying
> algorithms of either Permit-Overrides or Deny-Overrides to
> convert Indeterminate or NotApplicable results to Deny.
>
> Anne
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC