[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Multiple obligations
All, > -----Original Message----- > From: rich levinson [mailto:rich.levinson@oracle.com] > Sent: Friday, June 03, 2011 12:52 AM > To: xacml > Subject: [xacml] Minutes for 2 June 2011 TC Meeting [...] > Obligations/Advice combining ambiguities. (dependent on final > version of combining algorithms) > http://lists.oasis-open.org/archives/xacml/201105/msg00094.html > > rich: working assumption is that in deny-overrides that if there > are multiple permit rules then all the applicable permits > add their obligations to the response if decision is permit, > as opposed to the deny decision, where only one rule's obls > are returned. > I'm not sure I like this. First of all, this means there is an asymmetry between the permit and deny cases, as noted on the call. Secondly, this assumption rules out the following performance improvement: For deny-overrides, once an applicable permit rule has been found, other permit rules don't need to be evaluated, since they can never change the decision. Thanks, Ray
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]