[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Delegation and on-permit-apply-second
Hi Erik, The fact that the on-permit-apply-second combining rule restricts the number of child policies or policy sets to two means that where either child is a policy it must be a trusted policy (there is no room for authorizing administrative policies). This will have implications for access control on the policies themselves, which will vary between PAP implementations. A delegation-friendly change would be to restrict a policy set using the on-permit-apply-second combining rule to exactly two policy sets and/or *access* policies with no limit on the number of administrative policies. The combining algorithm would test the first access policy (which may need to be authorized by an administrative policy) or policy set before deciding to evaluate the second access policy (which may also need to be authorized) or policy set. I have previously argued on the comment list that labelling each policy as an access policy or administrative policy would improve the delegation profile and resolve a number of issues surrounding category prefixing. Such labelling would make it easy for the on-permit-apply-second combining rule to tell the difference between access policies and administrative policies. Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]