Re: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules"

[Erik Rissanen <erik@axiomatics.com>]

On 2012-02-24 14:48, remon.sinnema@emc.com wrote:
> Erik,
>
>
> From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Erik Rissanen
> Sent: Friday, February 24, 2012 10:12 AM
> To: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules"
>
> > The current table looks like this:
> >
> > Target    Rule values     Policy Value
> > “Match”    Don’t care    Specified by the rule-combining algorithm
> > “No-match”    Don’t care    “NotApplicable”
> > “Indeterminate”    See Table 7 See Table 7
> >
> > The change was introduced in wd 20 in order to make sure the new combining algorithms were always
> > invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since
> > this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned.
> Granted, but it's more confusing to me that a Policy without any Rules has any impact on the decision at all.

Hi Ray,

I would also think it this is pretty confusing: ;-)

Empty policy, with permit-unless-deny -> N/A
Add a rule to this policy, which does not match the request -> Permit


> BTW, section 3.3, Policy Language Model, states that a Policy should have 1..* Rules. Oddly, this section states that a PolicySet should have 0..* Policies.

I think there probably has been confusion in the past about whether a 
policy should be allowed to be empty. In my opinion it is useful so an 
empty policy can be there as a place holder for future rules or as a 
special case result from an automatic process which constructs the 
policy. In the past at some meeting I think Hal said that the motivation 
for the 0..* for policyset has been this. I think that the same should 
apply to a policy. But since the schema looks a bit odd, it could be 
accidental.

Best regards,
Erik

> Thanks,
> Ray