Re: [xacml] [CR] New Section 7.x: Initial policy

[Polar Humenn <polar@syr.edu>]

On Wed, 9 Oct 2002, Anne Anderson wrote:

> A PDP may encounter a situation where it finds multiple policies,
> despite our statement that it MUST NOT.  I am trying to provide
> guidance for the implementer on how to handle this situation.
>
> A typical, skilled implementor known to me, who shall remain
> unnamed, wanted to know if he/she should write her/his
> implementation to *verify* that there is only one and what to
> return if more than one were encountered.
>
> So this is a real question that implementors want to know the
> answer to.

I would say in this case the PDP is configured with a SINGLE "virtual"
PolicySet, where its policies are retrived by their applicable targets,
and then the result combined with some standard combining algorithm. So,
name it: First Applicable, DenyOverrides, PermitOverrides. We can come up
with a new combining algorithm "There can be only one." :)

-Polar

> -Anne
>
> On 8 October, Polar Humenn writes: Re: [xacml] [CR] New Section 7.x: Initial policy
>  > Again, this is up to configuration of the PDP. You either say that the PDP
>  > is represented by ONE and only ONE policy and leave it at that.
>  >
>  > If you go multiple Policy, then things are up for grabs.  You are sort of
>  > outlining a twist on the First Applicable combining algorithm with some
>  > mandated configuration.
>  >
>  > But, there are no configuration interfaces for the PDP, so how can you
>  > enforce what its configuration has to be?
>  >
>  > I suggest that we either say that a PDP is represented by ONE and only ONE
>  > policy (of where everything is specified by XACML policy), or its up to
>  > the configuration, and or its mangament interfaces, if it has any.
>  >
>  > -Polar
>  >
>  > On Tue, 8 Oct 2002, Anne Anderson wrote:
>  >
>  > > CR: Add new section to Chapter 7 to describe requirements on the
>  > > initial policy used by the PDP.
>  > >
>  > > Rationale: clarify the requirements on initial policy.
>  > >
>  > > Text:
>  > >
>  > > 7.x Initial policy
>  > >
>  > > A PDP MUST have a means of obtaining either zero initial
>  > > applicable policies or one initial applicable policy for a given
>  > > <Request>.  If the PDP has zero initial applicable policies, then
>  > > the PDP MUST return a result of "NotApplicable".  If the PDP has
>  > > more than one initial applicable policy, then the PDP MUST return
>  > > a result of "Indeterminate" (due to "Initial policy not unique").
>  > > If the PDP can determine a single initial applicable policy by
>  > > assuming that there is only one, then the PDP MUST return the
>  > > result of evaluating that policy.  If the PDP is unable to
>  > > determine whether there is only a single applicable policy (such
>  > > as obtaining an "Indeterminate" result when comparing the
>  > > <Request> against the <Target> of a policy candidate), then the
>  > > PDP MUST return a result of "Indeterminate" (due to "Error in
>  > > obtaining initial policy").
>  > >
>  > > The single initial policy MAY be configured as part of the PDP.
>  > >
>  > > The single initial policy MAY be retrieved from among multiple
>  > > candidates from a repository, based on matching the <Request>
>  > > against the <Target> elements of the candidates.  There MUST be
>  > > only one policy in the repository that will match any given
>  > > <Request>.  The PDP MUST be implemented to assume there is only
>  > > one match, such that, if a candidate policy is found, no further
>  > > search for candidates is performed.  However, if multiple matches
>  > > are unavoidably encountered by the implementation, then the PDP
>  > > MUST return a result of "Indeterminate" (due to "Initial policy
>  > > not unique").
>  > >
>  > > The single initial policy MAY be constructed by the PIP based on
>  > > a single configured Policy Combining Algorithm and a set of
>  > > policies retrieved from among multiple candidates in a
>  > > repository, based on matching the <Request> against the <Target>
>  > > elements of the candidates.  In this case, there MAY be more than
>  > > one policy in the repository that matches a given <Request>.  In
>  > > this case, if the evaluation of the <Target> of any candidate
>  > > policy returns a result of "Indeterminate", then that candidate
>  > > policy MUST be included in the set of policies from which the
>  > > single initial policy is constructed.
>
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>