[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] XACML 3.0 Public review 04 - Feedback from TSCP
Ray, I kept focusing combining algorithm on policy sets and obviously missed the ones on PDP root. Sounds like exactly what we need then. Thanks for pointing it out. Jean-Paul Buu-Sao -----Original Message----- From: remon.sinnema@emc.com [mailto:remon.sinnema@emc.com] Sent: Friday, June 29, 2012 10:07 To: Jean-Paul Buu-Sao Cc: xacml@lists.oasis-open.org Subject: RE: [xacml] XACML 3.0 Public review 04 - Feedback from TSCP Jean-Paul, From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Jean-Paul Buu-Sao Sent: Thursday, June 28, 2012 5:49 PM To: Hal Lockhart; xacml@lists.oasis-open.org Subject: RE: [xacml] XACML 3.0 Public review 04 - Feedback from TSCP > a) Applicability: a policy is applicable only if all conditions match > (inclusive of policy-id and resource). If one policy is NotApplicable, > other policies of the policy-set must be evaluated. So you are correct to invoke the potential of a NotApplicable result. How is it possible to denote that NotApplicable across the whole policy-set must return a Deny? From the core spec: "7.17 Authorization decision In relation to a particular decision request, the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets. The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets." So you should configure the PDP's root policy-combining algorithm to something like deny-unless-permit. Thanks, Ray
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]