[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] New Section 7.x: Initial policy
Again, this is up to configuration of the PDP. You either say that the PDP is represented by ONE and only ONE policy and leave it at that. If you go multiple Policy, then things are up for grabs. You are sort of outlining a twist on the First Applicable combining algorithm with some mandated configuration. But, there are no configuration interfaces for the PDP, so how can you enforce what its configuration has to be? I suggest that we either say that a PDP is represented by ONE and only ONE policy (of where everything is specified by XACML policy), or its up to the configuration, and or its mangament interfaces, if it has any. -Polar On Tue, 8 Oct 2002, Anne Anderson wrote: > CR: Add new section to Chapter 7 to describe requirements on the > initial policy used by the PDP. > > Rationale: clarify the requirements on initial policy. > > Text: > > 7.x Initial policy > > A PDP MUST have a means of obtaining either zero initial > applicable policies or one initial applicable policy for a given > <Request>. If the PDP has zero initial applicable policies, then > the PDP MUST return a result of "NotApplicable". If the PDP has > more than one initial applicable policy, then the PDP MUST return > a result of "Indeterminate" (due to "Initial policy not unique"). > If the PDP can determine a single initial applicable policy by > assuming that there is only one, then the PDP MUST return the > result of evaluating that policy. If the PDP is unable to > determine whether there is only a single applicable policy (such > as obtaining an "Indeterminate" result when comparing the > <Request> against the <Target> of a policy candidate), then the > PDP MUST return a result of "Indeterminate" (due to "Error in > obtaining initial policy"). > > The single initial policy MAY be configured as part of the PDP. > > The single initial policy MAY be retrieved from among multiple > candidates from a repository, based on matching the <Request> > against the <Target> elements of the candidates. There MUST be > only one policy in the repository that will match any given > <Request>. The PDP MUST be implemented to assume there is only > one match, such that, if a candidate policy is found, no further > search for candidates is performed. However, if multiple matches > are unavoidably encountered by the implementation, then the PDP > MUST return a result of "Indeterminate" (due to "Initial policy > not unique"). > > The single initial policy MAY be constructed by the PIP based on > a single configured Policy Combining Algorithm and a set of > policies retrieved from among multiple candidates in a > repository, based on matching the <Request> against the <Target> > elements of the candidates. In this case, there MAY be more than > one policy in the repository that matches a given <Request>. In > this case, if the evaluation of the <Target> of any candidate > policy returns a result of "Indeterminate", then that candidate > policy MUST be included in the set of policies from which the > single initial policy is constructed. > > Anne > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC