OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Obligations problem


Hi Greg,

Thanks for your attention to detail.

However, if I read it in even more detail, it is not as bad as you 
think. ;-)

The sentence around line 3569 says: "... SHALL be passed up to the next 
level of evaluation only if the effect of the rule, policy, or policy 
set being evaluated matches the value of the FulfillOn attribute ..."

It says "only if", not "if and only if", meaning that the sentence can 
be written in the form "if SHALL be passed up ... then ... the effect 
matches ...". (See http://en.wikipedia.org/wiki/If_and_only_if)

This in turn can be rewritten as "if not effect matches then not shall 
be passed up".

In other words, it says that if the effect does not match, then the 
obligation does not get passed up, but it does not state the reverse. So 
it is correct, though maybe not the most elegantly formulated. ;-)

The next section, as you write, explicitly and correctly specifies the 
desired behavior.

I agree thought that the last sentence which says "the effect returned 
by the PDP" should say "the decision returned by the PDP", to be 
consistent with the rest of the spec, but this should be quite clear anyway.

Could perhaps be rewritten a bit, but I would not like to drop back to 
WD because of this.

Best regards,
Erik


On 2011-03-23 10:59, Gregory Neven wrote:
> Dear all,
>
> During the last call I briefly mentioned a problem with the evaluation 
> of obligations. The problem is that Section 7.16 of the specs seems to 
> confuse "effect" and "result" of a rule at several instances. Please 
> correct me if I'm wrong, but I see the "effect" as the static value 
> specified in the  Effect attribute of the Rule element, which can be 
> either Permit or Deny, while the "result" is the decision returned 
> after evaluating the rule, which could be Indeterminate, 
> NotApplicable, or the value of the Effect attribute.
>
> Section 7.16 of the specs says that:
>
>> 3568 obligation or advice respectively, which SHALL be passed up to 
>> the next level of evaluation [...]
>> 3569 [...] only if the effect of the rule,
>> 3570 policy, or policy set being evaluated matches the value of the 
>> FulfillOn attribute of the obligation or
>> 3571 the AppliesTo attribute of the advice. [...]
>
> The use of the word "effect" on line 3569 seems to imply that if a 
> rule with effect Permit evaluates to Indeterminate or NotApplicable, 
> the obligation must still be passed up to the next level. I imagine 
> this is not what was intended, especially given that line 3574 refers 
> to the "result" instead of the "effect":
>
>> 3573 [...] If the FulfillOn or AppliesTo
>> 3574 attribute does not match the result of the combining algorithm 
>> or the rule evaluation, then any
>> 3575 indeterminate in an obligation or advice expression has no effect.
>
> and that the subsequent paragraph explicitly mentions that no 
> obligations are to be returned in case the rule evaluates to 
> Indeterminate or NotApplicable:
>
>> 3576 As a consequence of this procedure, no obligations or advice 
>> SHALL be returned to the PEP if the rule,
>> 3577 policies, or policy sets from which they are drawn are not 
>> evaluated, or if their evaluated result is
>> 3578 "Indeterminate" or "NotApplicable", [...]
>
> The last paragraph again mentions "effect" as the relevant parameter, 
> though:
>
>> 3582 [...] those paths where the effect at each level of evaluation
>> 3583 is the same as the effect being returned by the PDP.
>
> The confusion could be solved by replacing the word "effect" on lines 
> 3569, 3582, and 3583 with "result", "evaluated result", or "decision".
>
> Best,
> Greg
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]