[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [xacml-comment] Comments and questions on Obligations(Appendix C.1, C.2, and C.3).
The following are my comments. 1. Correct. Line 4657, 4768, 4845 (in PDF version) "Obligations of the individual policies shall be combined as described in Section 3.3.2.3." should be "Obligations of the individual policies shall be combined as described in Section 3.3.3.2." 2. >Q2.1.1. >Assume that the two policies P1 and P2 are evaluated to Permit. >Should we return both OP1 and OP2, or only one of them in addition to OP ? We assume that the final decision returned by the policy set is "Permit" since the enclosing policies return only "Permit". Then the algorithm should return OP1, OP2, and OP. The reason is that the line 3003 and 3004 says that "A policy or policy set may contain one or more obligations. When such a policy or policy set is EVALUATED, an obligation SHALL be passed up to the next level of evaluation (the enclosing or referencing policy set or authorization decision) only if the effect of the policy or policy set being evaluated matches the value of the xacml:FulfillOn attribute of the obligation." Since both P1 and P2 are evaluated, OP1 and OP2 must be passed up to the next level of evaluation (policy set) and the final decision must include OP1, OP2, and OP. >Q2.1.2 >Assume that the two policies P1 and P2 are evaluated to Deny. >Should we return both OD1 and OD2, or only one of them in addition to OD ? We assume that the final decision returned by the policy set is "Deny". Then the algorithm should return OD1 and OD. OD2 is not returned because P2 is not evaluated in this case. When the algorithm encounters "deny" effect that holds, it immediately returns "deny" according to the algorithm line 4578-4580. >2.2 Permit-overrides: >----------------- >I have the same two questions. When P1 and P2 are evaluated to Permit, then the algorithm should return OP1 and OP. When P1 and P2 are evaluated to Deny, then the algorithm should return OD1, OD2, and OD >Q2.3.1. >Assume that P1 is the first applicable policy that is evaluated to Permit, >and that P2 is also evaluated to Permit. >Should we return both OP1 and OP2, or only OP1 in addition to OP? The algorithm should return OP1 and OP. P2 is no longer evaluated. >Q2.3.2. >I have the same question in case of Deny. >Should we return both OD1 and OD2, or only OD1 in addition to OD? The algorithm should return OD1 and OD. P2 is no longer evaluated. Michiharu IBM Tokyo Research Laboratory ----- Forwarded by Michiharu Kudoh/Japan/IBM on 2003/01/23 12:52 ----- |---------+----------------------------> | | Satoshi | | | Hada/Japan/IBM@IB| | | MJP | | | | | | 2003/01/20 11:23 | | | | |---------+----------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: XACML COMMENT <xacml-comment@lists.oasis-open.org> | | cc: | | Subject: [xacml-comment] Comments and questions on Obligations (Appendix C.1, C.2, and C.3). | | | | | >--------------------------------------------------------------------------------------------------------------| Hi, Comments and questions on Obligations. 1. At the end of C.1, C.2, and C.3, we have the following description just after the explanation about policy combining algorithms: "Obligations of the individual policies shall be combined as described in Section 3.3.2.3 " However, Section 3.3.2.3 is about a policy rather than a set of policies. So it should be Section 3.3.3.2 rather than 3.3.2.3. --------------------------------------------------------------------- 2. It is clear to me which obligations should be returned when evaluating a policy. However, it's unclear to me when evaluating a set of policies (not a policy). Do you think that the description in Section 7.11 is clear enough to answer the following questions? 2.1 Deny-overrides: --------------- Consider a policy set using the deny-overrides policy comb alg. Assume that the policy set has two obligation sets OP and OD for Permit and Deny, respectively Assume that the policy set has two policies P1 and P2 with different obligation sets O1 and O2, respectively. Assume that O1 consists of OP1 and OD1 for Permit and Deny. Assume that O2 consists of OP2 and OD2 for Permit and Deny. Q2.1.1. Assume that the two policies P1 and P2 are evaluated to Permit. Should we return both OP1 and OP2, or only one of them in addition to OP ? Q2.1.2 Assume that the two policies P1 and P2 are evaluated to Deny. Should we return both OD1 and OD2, or only one of them in addition to OD ? 2.2 Permit-overrides: ----------------- I have the same two questions. 2.3 First-applicable: ---------------- Consider a policy set, which is the same as the above policy except that it uses the first-applicable policy comb alg. Q2.3.1. Assume that P1 is the first applicable policy that is evaluated to Permit, and that P2 is also evaluated to Permit. Should we return both OP1 and OP2, or only OP1 in addition to OP? Q2.3.2. I have the same quetion in case of Deny. Should we return both OD1 and OD2, or only OD1 in addition to OD? 2.4 Only-one-applicable: ------------------- We can return the obligation set specified in the only applicable policy. So I have no question in this algorithm Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC