OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Obligations problem

Dear all,

During the last call I briefly mentioned a problem with the evaluation 
of obligations. The problem is that Section 7.16 of the specs seems to 
confuse "effect" and "result" of a rule at several instances. Please 
correct me if I'm wrong, but I see the "effect" as the static value 
specified in the  Effect attribute of the Rule element, which can be 
either Permit or Deny, while the "result" is the decision returned after 
evaluating the rule, which could be Indeterminate, NotApplicable, or the 
value of the Effect attribute.

Section 7.16 of the specs says that:

> 3568 obligation or advice respectively, which SHALL be passed up to 
> the next level of evaluation [...]
> 3569 [...] only if the effect of the rule,
> 3570 policy, or policy set being evaluated matches the value of the 
> FulfillOn attribute of the obligation or
> 3571 the AppliesTo attribute of the advice. [...]

The use of the word "effect" on line 3569 seems to imply that if a rule 
with effect Permit evaluates to Indeterminate or NotApplicable, the 
obligation must still be passed up to the next level. I imagine this is 
not what was intended, especially given that line 3574 refers to the 
"result" instead of the "effect":

> 3573 [...] If the FulfillOn or AppliesTo
> 3574 attribute does not match the result of the combining algorithm or 
> the rule evaluation, then any
> 3575 indeterminate in an obligation or advice expression has no effect.

and that the subsequent paragraph explicitly mentions that no 
obligations are to be returned in case the rule evaluates to 
Indeterminate or NotApplicable:

> 3576 As a consequence of this procedure, no obligations or advice 
> SHALL be returned to the PEP if the rule,
> 3577 policies, or policy sets from which they are drawn are not 
> evaluated, or if their evaluated result is
> 3578 "Indeterminate" or "NotApplicable", [...]

The last paragraph again mentions "effect" as the relevant parameter, 
though:

> 3582 [...] those paths where the effect at each level of evaluation
> 3583 is the same as the effect being returned by the PDP.

The confusion could be solved by replacing the word "effect" on lines 
3569, 3582, and 3583 with "result", "evaluated result", or "decision".

Best,
Greg

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]