OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Permit-Overrides PolicyCombiningAlg

On 4/19/06, Anne Anderson <Anne.Anderson@sun.com> wrote:
> According to XACML 2.0 Appendix C.3 Permit-overrides, if the set of
> policy values being combined consists of Indeterminates and Denies, then
> the result is Deny.

it's a little different in rule comb algorithm. i think the difference
stems from the fact that the rule has an effect, while policy doesn't
have an effect.

in rule comb alg, if there was a rule with Permit effect, which
evaluated to Indeterminate, then the combining result would be
Indeterminate when no other Permits. in policy comb alg, there's no
notion of a policy effect. therefore, if everything's Indetermiate and
one Deny, then the whole thing's Deny.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]