Re: [xacml] NotApplicable and combining algs

[Polar Humenn <polar@syr.edu>]

On Wed, 25 Aug 2004, Seth Proctor wrote:

>
> Sections 7.10 and 7.11 of draft 13 say that in all cases, if no
> elements provided to a combining algorithm apply then the combining
> algorithm always returns NotApplicable. Is that really what we want?

Yes.

> Shouldn't I be free to write a combining algorithm, for example, that
> returns Deny if no elements apply?

Of course, you can write combining algorithms that return Permit when
everything states Deny. You are free to do what you want. There is nothing
that stops you from doing that. However, I would think, that you would
have to state the exact reasons for doing so.

> I can think of many cases where this would be very useful (at the
> top-level in a PDP and to replace fall-through Deny rules).

Or fall thru Permit rules. :)

In anycase, these are some of the guidelines to follow, and basically
makes things work with some expectation of consistency. Much like the
applicability predicate (target) of each rule, which states that the
result of a rule is only combined if the target is true.

> The reason I ask is twofold. First, I don't ever remember discussing
> this issue, so I'm not sure if someone explicitly wanted to see this in
> the spec or if it's just an oversight.

No, it probably was discussed before you got on board. However, for the
algorithms we have, the stated behavior is what we want. You can always
right a PolicySet (or a default) rule that will get you what you want.

> Second, I think it breaks the relationship shown on page 19, since it
> implies that before a combining algorithm starts working with its
> elements, something above it will already have checked applicability of
> all elements.

I don't see what "breaks" here. If you take that stance that you evaluate
the applicability of each rule before evaluating and combining their
results, and no rule is applicable, or whether you evaluate each rule's
applicablilty predicate and if true, process the result, the end result
should definately be the same.

However, that doesn't stop you from defining a combining algorithm that in
a sense, can throw all logic and integrity to the wind. Whether somebody
wants to rely on it, is another story.

> I think it's clear that we don't want that model.

Well, I guess I won't speak for the group, but I want that model, which
gives integrity and consistency to the logic, and has the ability to
compose policies in an expected manor.

> Basically, I think this is another case where we should say that the
> combining algorithm decides, and it just so happnes that all the
> standard algorithms return NotApplicable in this case.

What's the use case, other than some convience?

You can use the standard algorithms, and put "default" rules with true
applicability predicates and true conditions, and get a never return
NotApplicable result.


> Yes? No? What do people think? Again, maybe fodder for discussion
> tomorrow?

Cheers,
-Polar