[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [CR] New Section 7.x: Initial policy
CR: Add new section to Chapter 7 to describe requirements on the initial policy used by the PDP. Rationale: clarify the requirements on initial policy. Text: 7.x Initial policy A PDP MUST have a means of obtaining either zero initial applicable policies or one initial applicable policy for a given <Request>. If the PDP has zero initial applicable policies, then the PDP MUST return a result of "NotApplicable". If the PDP has more than one initial applicable policy, then the PDP MUST return a result of "Indeterminate" (due to "Initial policy not unique"). If the PDP can determine a single initial applicable policy by assuming that there is only one, then the PDP MUST return the result of evaluating that policy. If the PDP is unable to determine whether there is only a single applicable policy (such as obtaining an "Indeterminate" result when comparing the <Request> against the <Target> of a policy candidate), then the PDP MUST return a result of "Indeterminate" (due to "Error in obtaining initial policy"). The single initial policy MAY be configured as part of the PDP. The single initial policy MAY be retrieved from among multiple candidates from a repository, based on matching the <Request> against the <Target> elements of the candidates. There MUST be only one policy in the repository that will match any given <Request>. The PDP MUST be implemented to assume there is only one match, such that, if a candidate policy is found, no further search for candidates is performed. However, if multiple matches are unavoidably encountered by the implementation, then the PDP MUST return a result of "Indeterminate" (due to "Initial policy not unique"). The single initial policy MAY be constructed by the PIP based on a single configured Policy Combining Algorithm and a set of policies retrieved from among multiple candidates in a repository, based on matching the <Request> against the <Target> elements of the candidates. In this case, there MAY be more than one policy in the repository that matches a given <Request>. In this case, if the evaluation of the <Target> of any candidate policy returns a result of "Indeterminate", then that candidate policy MUST be included in the set of policies from which the single initial policy is constructed. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC