OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Generalization

Colleagues - Response to a couple of questions raised during our discussion
of this topic in Thursday's telecon.

All discussion is relative to rules combined into a policy; policies
combined into a policyset behave analogously.

1. Daniel asked about non-applicable rules.  These do not contribute any
obligations to the combination.  If none of the rules contribute
obligations, then the policy value is null.

2. Polar said that an alternative approach would be to leave Effect values
undefined in the core and allow extensions to define suitable values.  This
is definitely a possibility.  I prefer the approach that I described for two

a. It treats the obligation as the principal result.  It is the more general
concept.  Effect, which is relevant only to access control, is set by an

b. It simplifies combining algorithms.  The obligations associated with an
Indeterminate result are explicitly stated in the policy, and the combining
algorithm handles obligations independent of the rule values that gave rise
to them.

Of course, this approach would cause us to make Obligations a mandatory part
of the standard.  But, nothing in this approach infringes on IBM's patent.

All the best.  Tim.

Tim Moses

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]