[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [CR] New Section 7.x: Initial policy
On Wed, 9 Oct 2002, Anne Anderson wrote: > A PDP may encounter a situation where it finds multiple policies, > despite our statement that it MUST NOT. I am trying to provide > guidance for the implementer on how to handle this situation. > > A typical, skilled implementor known to me, who shall remain > unnamed, wanted to know if he/she should write her/his > implementation to *verify* that there is only one and what to > return if more than one were encountered. > > So this is a real question that implementors want to know the > answer to. I would say in this case the PDP is configured with a SINGLE "virtual" PolicySet, where its policies are retrived by their applicable targets, and then the result combined with some standard combining algorithm. So, name it: First Applicable, DenyOverrides, PermitOverrides. We can come up with a new combining algorithm "There can be only one." :) -Polar > -Anne > > On 8 October, Polar Humenn writes: Re: [xacml] [CR] New Section 7.x: Initial policy > > Again, this is up to configuration of the PDP. You either say that the PDP > > is represented by ONE and only ONE policy and leave it at that. > > > > If you go multiple Policy, then things are up for grabs. You are sort of > > outlining a twist on the First Applicable combining algorithm with some > > mandated configuration. > > > > But, there are no configuration interfaces for the PDP, so how can you > > enforce what its configuration has to be? > > > > I suggest that we either say that a PDP is represented by ONE and only ONE > > policy (of where everything is specified by XACML policy), or its up to > > the configuration, and or its mangament interfaces, if it has any. > > > > -Polar > > > > On Tue, 8 Oct 2002, Anne Anderson wrote: > > > > > CR: Add new section to Chapter 7 to describe requirements on the > > > initial policy used by the PDP. > > > > > > Rationale: clarify the requirements on initial policy. > > > > > > Text: > > > > > > 7.x Initial policy > > > > > > A PDP MUST have a means of obtaining either zero initial > > > applicable policies or one initial applicable policy for a given > > > <Request>. If the PDP has zero initial applicable policies, then > > > the PDP MUST return a result of "NotApplicable". If the PDP has > > > more than one initial applicable policy, then the PDP MUST return > > > a result of "Indeterminate" (due to "Initial policy not unique"). > > > If the PDP can determine a single initial applicable policy by > > > assuming that there is only one, then the PDP MUST return the > > > result of evaluating that policy. If the PDP is unable to > > > determine whether there is only a single applicable policy (such > > > as obtaining an "Indeterminate" result when comparing the > > > <Request> against the <Target> of a policy candidate), then the > > > PDP MUST return a result of "Indeterminate" (due to "Error in > > > obtaining initial policy"). > > > > > > The single initial policy MAY be configured as part of the PDP. > > > > > > The single initial policy MAY be retrieved from among multiple > > > candidates from a repository, based on matching the <Request> > > > against the <Target> elements of the candidates. There MUST be > > > only one policy in the repository that will match any given > > > <Request>. The PDP MUST be implemented to assume there is only > > > one match, such that, if a candidate policy is found, no further > > > search for candidates is performed. However, if multiple matches > > > are unavoidably encountered by the implementation, then the PDP > > > MUST return a result of "Indeterminate" (due to "Initial policy > > > not unique"). > > > > > > The single initial policy MAY be constructed by the PIP based on > > > a single configured Policy Combining Algorithm and a set of > > > policies retrieved from among multiple candidates in a > > > repository, based on matching the <Request> against the <Target> > > > elements of the candidates. In this case, there MAY be more than > > > one policy in the repository that matches a given <Request>. In > > > this case, if the evaluation of the <Target> of any candidate > > > policy returns a result of "Indeterminate", then that candidate > > > policy MUST be included in the set of policies from which the > > > single initial policy is constructed. > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC