OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules"

On 2012-02-24 14:48, remon.sinnema@emc.com wrote:

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Erik Rissanen
Sent: Friday, February 24, 2012 10:12 AM
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules"

The current table looks like this:

Target    Rule values     Policy Value
“Match”    Don’t care    Specified by the rule-combining algorithm
“No-match”    Don’t care    “NotApplicable”
“Indeterminate”    See Table 7 See Table 7

The change was introduced in wd 20 in order to make sure the new combining algorithms were always
invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since
this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned.
Granted, but it's more confusing to me that a Policy without any Rules has any impact on the decision at all.

Hi Ray,

I would also think it this is pretty confusing: ;-)

Empty policy, with permit-unless-deny -> N/A
Add a rule to this policy, which does not match the request -> Permit

BTW, section 3.3, Policy Language Model, states that a Policy should have 1..* Rules. Oddly, this section states that a PolicySet should have 0..* Policies.

I think there probably has been confusion in the past about whether a policy should be allowed to be empty. In my opinion it is useful so an empty policy can be there as a place holder for future rules or as a special case result from an automatic process which constructs the policy. In the past at some meeting I think Hal said that the motivation for the 0..* for policyset has been this. I think that the same should apply to a policy. But since the schema looks a bit odd, it could be accidental.

Best regards,


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]