Re: [xacml] [CR] New Section 7.x: Initial policy

[Polar Humenn <polar@syr.edu>]

C.4 Only-one-applicable-policy

The following specification defines the "Only One Applicable Policy"
policy-combining algorithm of a policy set.

In the entire set of policies in the policy set, if no policy is
considered applicable by virtue of their targets, then the result of the
policy combination algorithm SHALL be "NotApplicable". If more than one
policy is considered applicable by virtue of their targets, then the
result of the policy combination algorithm SHALL be "Interdeterminate".
If only one policy is considered applicable by evaluation of the policy
targets, then the result of the policy combining algorithm SHALL be the
result of evaluating the policy.

If an error occurs while evaluating the target of a policy, or a reference
to a policy is considered invalid or the policy evaluation results in
"Indeterminate, then the policy set SHALL evaluate to "Indeterminate".

The following pseudo-code represents the evaluation strategy of this
policy combining algorithm.

Decision onlyOneApplicablePolicyPolicyCombinginAlogrithm(Policy policy[])
{
  Boolean atLeastOne     = false;
  Policy  selectedPolicy = null;

  for ( i = 0; i < lengthOf(policy) ; i++ )
  {
     if ( isApplicable(policy[i]) )
     {
         if ( atLeastOne )
         {
             return Indeterminate;
         }
         else
         {
             atLeastOne     = true;
             selectedPolicy = policy[i];
         }
     }
  }
  if ( atLeastOne )
  {
      return evaluate(selectedPolicy);
  }
  else
  {
      return NotApplicable;
  }
}


Then in Chapter 7.x

A PDP SHALL represent one Policy, or PolicySet. Should the PDP be dynamic
in nature in retrieving policies based on the request, the PDP SHALL act
as if represents a single Policy Set with the "Only One Applicable Policy"
policy combining algorithm.


----

This way, with the single PEP-PDP model, and the single PDP to single
PolicySet model, we tighten up all the evaluation semantics.

Cheers,
-Polar

On Tue, 8 Oct 2002, Anne Anderson wrote:

> CR: Add new section to Chapter 7 to describe requirements on the
> initial policy used by the PDP.
>
> Rationale: clarify the requirements on initial policy.
>
> Text:
>
> 7.x Initial policy
>
> A PDP MUST have a means of obtaining either zero initial
> applicable policies or one initial applicable policy for a given
> <Request>.  If the PDP has zero initial applicable policies, then
> the PDP MUST return a result of "NotApplicable".  If the PDP has
> more than one initial applicable policy, then the PDP MUST return
> a result of "Indeterminate" (due to "Initial policy not unique").
> If the PDP can determine a single initial applicable policy by
> assuming that there is only one, then the PDP MUST return the
> result of evaluating that policy.  If the PDP is unable to
> determine whether there is only a single applicable policy (such
> as obtaining an "Indeterminate" result when comparing the
> <Request> against the <Target> of a policy candidate), then the
> PDP MUST return a result of "Indeterminate" (due to "Error in
> obtaining initial policy").
>
> The single initial policy MAY be configured as part of the PDP.
>
> The single initial policy MAY be retrieved from among multiple
> candidates from a repository, based on matching the <Request>
> against the <Target> elements of the candidates.  There MUST be
> only one policy in the repository that will match any given
> <Request>.  The PDP MUST be implemented to assume there is only
> one match, such that, if a candidate policy is found, no further
> search for candidates is performed.  However, if multiple matches
> are unavoidably encountered by the implementation, then the PDP
> MUST return a result of "Indeterminate" (due to "Initial policy
> not unique").
>
> The single initial policy MAY be constructed by the PIP based on
> a single configured Policy Combining Algorithm and a set of
> policies retrieved from among multiple candidates in a
> repository, based on matching the <Request> against the <Target>
> elements of the candidates.  In this case, there MAY be more than
> one policy in the repository that matches a given <Request>.  In
> this case, if the evaluation of the <Target> of any candidate
> policy returns a result of "Indeterminate", then that candidate
> policy MUST be included in the set of policies from which the
> single initial policy is constructed.
>
> Anne
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>