[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] oasis-xacml-2_0-core-spec-wd-08.zip
Hi, Polar >But please answer me this, what does a Rule with the Effect of Deny mean >with Obligations of FullfillOn="Permit" mean? What am I supposed to do >with that? Suppose we have a rule like: <Rule Effect="Deny"> <Condition> ... </Condition> <Obligations> <Obligation ObligationId="email" FulfillOn="Permit"/> </Obligations> </Rule> If this rule fires, then the result should be "Deny". Since there is no obligation for "Deny", then the result is just "Deny". I guess what you are concerned is that the obligation is never used. Right. But everybody can make this type of meaningless policies. For example, <Policy RuleCombAlgo="ordered-deny-overrides"> <Rule Effect="Deny"/> <Rule Effect="Permit"/> </Policy> The second rule never fires because the first rule always fires. In my opinion, the case above and this are the same problem. Possible way to avoid this problem would be to use some intelligent policy authoring tools that detect meaningless policy specifications. Best, Michiharu Polar Humenn <polar@syr.edu> To 2004/04/09 05:07 XACML <xacml@lists.oasis-open.org> cc Subject [xacml] oasis-xacml-2_0-core-spec-wd-08.zip I'm looking at this new document and I have a couple questions. 0. I went to considerable effort to make glossary items for the CombinerParameter proposal. None of them made it in there. I think it would be good to have those definitions. 1. I removed CombinerParameters from the Rule as we now have RuleCombinerParameters. They are still there. They need to be removed. 2. I removed the sentence "<VariableDefinition> MAY contain undefined <VariableReference>, but if it does, corresponding <VariableDefinition> MUST be defined later in the encompassing policy." I removed this sentence because a variable reference cannot be "undefined" if it *has* a definition. Anyway, it's not about the VariableDefition. It's about the Expression. It's probably better to say "An expression SHALL not contain any undefined variable references." but that should be included in section 5.33 Expression. Perhaps, if we must stay something about it, please say it in the VariableReference section. Perhaps stating that, "A <VariableReference> that does not have a corresponding <VariableDefition> in the encompassing policy shall be considered undefined". And that takes care of both problems. 3. In both Policy and PolicySet evaluation, I removed a sentence that says, "In such a case, the values of these parameters associated with the policies, MUST be taken into account when evaluating the policy set." I removed this sentence because it is not really true. First of all, I don't know what "taken into account" means. It is perfectly up to the implementation of the combining algorithm to do what it wants with the arguments, even ignore them if it wants to. So, I think this sentence is really meaningless. I added a sentence that states, "If the implementation supports combiner parameters and if combiner parameters are present in a policy, then the parameter values MUST be supplied to the combining algorithm implementation." What more really needs to be said here? 4. and finally, I noticed that Obligations made it into Rules. Did I loose that battle? Maybe so, I don't remember. But please answer me this, what does a Rule with the Effect of Deny mean with Obligations of FullfillOn="Permit" mean? What am I supposed to do with that? Cheers, -Polar To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]