[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm
See below: On Thu, 22 Aug 2002, Anne Anderson wrote: > Add normative, mandatory-to-implement Default-deny policy > combination algorithm. > > Text to be added as new section in Appendix C. > > The following specification defines the "Default Deny" policy > combining algorithm of a policy set. > > In the entire set of policies to be evaluated, if any policy > evaluates to Deny, then the result of the policy combination > shall be Deny. In other words, Deny takes precedence, > regardless of the result of evaluating any of the other > policies in the combination. If all policies are found not to > be applicable to the request, the policy combination returns > Deny. If there is any error evaluating the target of a > policy, or a reference to a policy is considered invalid, or > the policy evaluation results in Indeterminate, then the > result of the combination shall be Deny. > > The following pseudo code represents the evaluation strategy of > this policy-combining algorithm. > > Decision defaultDenyPolicyCombiningAlgorithm(Policy policies[]) > { > Boolean atLeastOnePermit = false; > for ( i=0 ; i < lengthOf(policies) ; i++ ) > { > Decision decision = evaluate(policies[i]); > if (decision == Deny) > { > return Deny; > } > if (decision == Permit) > { > atLeastOnePermit = true; > continue; > } > if (decision == NotApplicable) > { > continue; > } > if (decision == Indeterminate) > { > return Deny; > } > } > if (atLeastOnePermit) > { > return Permit; > } > return NotApplicable; I think you meant this to be return Deny; > } > > Obligations of the individual policies shall be combined as > described in Section "Obligations." > > Rationale: > > [The Bill Parducci Memorial Combination Algorithm] At the top > level, a PDP may want to return Deny where Deny-Overrides > would have returned NotApplicable. In other words, the PDP > will return Deny unless the request is explicitly permitted > and not explicitly denied. > > This combination algorithm may be used with underlying > algorithms of either Permit-Overrides or Deny-Overrides to > convert Indeterminate or NotApplicable results to Deny. > > Anne > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC