[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes
Section 7.15.3 says that the absence of matching attributes referenced "in the policy" "SHALL result" in a decision of "Indeterminate". This is INCORRECT. Unless an AttributeDesignator or AttributeSelector contains the "MustBePresent" XML attribute, it will evaluate to an empty bag if its referenced Attribute is not present in the Request Context. An empty bag does not necessarily result in "Indeterminate" - you have to look at the definition and use context of each XACML function to determine how it deals with an empty bag. For some functions, such as "type-bag-size", "type-is-in", "type-intersection", an empty bag is a normal input to the function. Also, in the Target element MatchId functions, an empty bag parameter results in "NotApplicable" rather than "Indeterminate". I stumbled across this in checking a claim by one of the interop participants that "the definition of Indeterminate seems to be ambiguous". Regards, Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]