[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comment on issue 8? "choice element" or "Policy w no Rules"
To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the "latest email" I thought Erik and I had agreement that a statement would be made in the "implementor's guide" that a Policy w no Rules may be ignored by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html "It would seem to me that at a minimum, we could includeDuring today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 "Policy Evaluation". According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5.I think we can agree that the Target is a "Match", since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with "At least one rule ..." do not apply since there are "zero Rules" in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to be invoked, I think we can assume that even combining algorithms, such as "Deny-unless -permit" (section C.6) or "Permit-unless-deny" (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: "All Rule values are "NotApplicable"". I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than "NotApplicable", which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :) Thanks, Rich |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]