[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

*Subject*: **Improved text for combining algorithms**

*From*:**Erik Rissanen <erik@axiomatics.com>***To*: XACML TC <xacml@lists.oasis-open.org>*Date*: Fri, 26 Sep 2008 16:34:16 +0200

All, We have decided to update the descriptions of the combining algorithms since the textual descriptions were not correct. I have made the following changes to my working copy of the next draft: I added the text "Pseudo code is normative, descriptions in English are non-normative" in the beginning of appendix C. For deny overrides rule combining I wrote: -- 8< -- The following is a non-normative informative description of this combining algorithm. The deny overrides rule combining algorithm is intended for those cases where a deny decision should have priority over a permit decision. This algorithm has the following behavior. 1. If any rule evaluates to "Deny", the result is "Deny". 2. Otherwise, if any rule having Effect="Deny" evaluates to "Indeterminate", the result is "Indeterminate". 3. Otherwise, if any rule evaluates to "Permit", the result is "Permit". 4. Otherwise, if any rule having Effect="Permit" evaluates to "Indeterminate", the result is "Indeterminate". 5. Otherwise, the result is "NotApplicable". -- 8< -- For deny overrides policy combining I wrote: -- 8< -- The following is a non-normative informative description of this combining algorithm. The deny overrides policy combining algorithm is intended for those cases where a deny decision should have priority over a permit decision. This algorithm has the following behavior. 1. If any policy evaluates to "Deny", the result is "Deny". 2. Otherwise, if any policy evaluates to "Indeterminate", the result is "Deny". 3. Otherwise, if any policy evaluates to "Permit", the result is "Permit". 4. Otherwise, the result is "NotApplicable". -- 8< -- For permit overrides rule combining I wrote: -- 8< -- The following is a non-normative informative description of this combining algorithm. The permit overrides rule combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. This algorithm has the following behavior. 1. If any rule evaluates to "Permit", the result is "Permit". 2. Otherwise, if any rule having Effect="Permit" evaluates to "Indeterminate", the result is "Indeterminate". 3. Otherwise, if any rule evaluates to "Deny", the result is "Deny". 4. Otherwise, if any rule having Effect="Deny" evaluates to "Indeterminate", the result is "Indeterminate". 5. Otherwise, the result is "NotApplicable". -- 8< -- For permit overrides policy combining I wrote: -- 8< -- The following is a non-normative informative description of this combining algorithm. The permit overrides policy combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. This algorithm has the following behavior. 1. If any policy evaluates to "Permit", the result is "Permit". 2. Otherwise, if any policy evaluates to "Deny", the result is "Deny". 3. Otherwise, if any policy evaluates to "Indeterminate", the result is "Indeterminate". 4. Otherwise, the result is "NotApplicable". --8<-- I did not change the pseudo code. I did not change the other combining algorithms since I think the descriptions are ok for them. Let me know of any errors/objections. Regards, Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]