xacml message

Subject: Re: [xacml] Re: Combining algorithm combining orders

From: Daniel Engovatov <daniel@streamdynamics.com>
To: Erik Rissanen <erik@axiomatics.com>
Date: Thu, 23 Oct 2008 01:12:34 -0700

On Oct 23, 2008, at 1:03 AM, Erik Rissanen wrote:

>
> However, if the permit-overrides algorithm gets to choose between a  
> deny and an indeterminate, it says deny, which is not correct. The  
> purpose of the permit overrides algorithm is to give priority of  
> permit over deny. In this case one of the policies could not be  
> evaluated correctly. It could potentially have been a permit, in  
> which case the algorithm should return permit.

I am not sure it is a question of correctness.  Algorithm may be  
correct - but it may, or may not be suitable to a particular use  
case.   I think this use case is a valid one - give Permit if anybody  
explicitly said Permit, Deny in any other case, including the case  
when somebody did not have enough time or information to say  
Permit.   Seems like a completely legitimate use case.

I have never liked the Permit override anyway...

Daniel;

Follow-Ups:
- Re: [xacml] Re: Combining algorithm combining orders
  - From: Erik Rissanen <erik@axiomatics.com>

References:
- Proposed Agenda 23 October TC Meeting
  - From: bill parducci <bill@parducci.net>
- Re: [xacml] Proposed Agenda 23 October TC Meeting
  - From: Erik Rissanen <erik@axiomatics.com>
- Re: Combining algorithm combining orders
  - From: Daniel Engovatov <daniel@streamdynamics.com>
- Re: [xacml] Re: Combining algorithm combining orders
  - From: Erik Rissanen <erik@axiomatics.com>
- Re: [xacml] Re: Combining algorithm combining orders
  - From: Daniel Engovatov <daniel@streamdynamics.com>
- Re: [xacml] Re: Combining algorithm combining orders
  - From: Erik Rissanen <erik@axiomatics.com>