[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Permit-Overrides PolicyCombiningAlg
On 4/19/06, Anne Anderson <Anne.Anderson@sun.com> wrote: > According to XACML 2.0 Appendix C.3 Permit-overrides, if the set of > policy values being combined consists of Indeterminates and Denies, then > the result is Deny. > it's a little different in rule comb algorithm. i think the difference stems from the fact that the rule has an effect, while policy doesn't have an effect. in rule comb alg, if there was a rule with Permit effect, which evaluated to Indeterminate, then the combining result would be Indeterminate when no other Permits. in policy comb alg, there's no notion of a policy effect. therefore, if everything's Indetermiate and one Deny, then the whole thing's Deny. argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]