OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Behavior of deny-overrides


Olav Bandmann has discovered that a couple of the 2.0 combining
algorithms have "weird" effects sometimes. I am not sure if this was
already known, or if anything should be done about it.

This is a bit difficult to explain, but I will make an attempt. One can
define a soundness criterion for policy combining algorithms: A
combining algorithm is sound iff a constituent policy cannot cause a
combined decision which the constituent policy would never evaluate to
in isolation. By this definition, the deny-overrides algorithm is not
sound. For instance:

P1 has a singe rule with a Permit effect. This policy in isolation can
never evaluate to a Deny.

PS is a policy set with a number of policies:

/ |
/ |

PS uses a deny-overrides policy combining algorithm. Assume that for a
request R, PS, as it is, will evaluate to Permit. Now, insert P1 into PS:

/ | \
/ | \
P2-Pn P1

Let’s evaluate R against PS again and let’s say that P1 evaluates to
indeterminate. This will cause PS to be Deny. P1 made PS into a Deny,
although P1 can never evaluate to Deny in isolation!

There is a similar behavior in the only-one-applicable.

So, why is this a problem? Because it makes harder to understand a
complex policy. You cannot look at the parts in isolation. For instance,
if several administrators are responsible for parts of a large policy
set, then their policies could have effects that they did not intend or

One could argue that the algorithms have a well defined behavior, so
they are not “wrong” and they behave as intended. That could be said
about the only-one-applicable algorithm for instance, or if I for some
reason want to define an algorithm which inverts everything, makes its
decisions randomly, or whatever.

However, in the case of deny-overrides, the algorithm could have been
designed so it would have been sound in this respect.

Olav suspects (and so do I) that the motivation for the current design
was based on concerns about access being allowed in case of an error: If
PS uses deny-overrides and P1 evaluates to indeterminate, then perhaps
P1 could have evaluated to Deny if there was no error? So to be safe, we
make the whole a Deny. However, it would have been better to make it
indeterminate, and then have a Deny biased PEP instead, if denying
access is important in case of uncertainty in policy evaluation.

Is this already known? Is it a concern? To fix it, we could define a new
combining algorithm which does not have this behavior and recommend
people to use it instead of the old one.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]