[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: Combining algorithm combining orders
On Oct 23, 2008, at 1:03 AM, Erik Rissanen wrote: > > However, if the permit-overrides algorithm gets to choose between a > deny and an indeterminate, it says deny, which is not correct. The > purpose of the permit overrides algorithm is to give priority of > permit over deny. In this case one of the policies could not be > evaluated correctly. It could potentially have been a permit, in > which case the algorithm should return permit. I am not sure it is a question of correctness. Algorithm may be correct - but it may, or may not be suitable to a particular use case. I think this use case is a valid one - give Permit if anybody explicitly said Permit, Deny in any other case, including the case when somebody did not have enough time or information to say Permit. Seems like a completely legitimate use case. I have never liked the Permit override anyway... Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]