Delegation and on-permit-apply-second

[Steven Legg <steven.legg@viewds.com>]

Hi Erik,

The fact that the on-permit-apply-second combining rule restricts the
number of child policies or policy sets to two means that where
either child is a policy it must be a trusted policy (there is no room
for authorizing administrative policies). This will have implications
for access control on the policies themselves, which will vary between
PAP implementations.

A delegation-friendly change would be to restrict a policy set using
the on-permit-apply-second combining rule to exactly two policy sets
and/or *access* policies with no limit on the number of administrative
policies. The combining algorithm would test the first access policy
(which may need to be authorized by an administrative policy) or policy
set before deciding to evaluate the second access policy (which may
also need to be authorized) or policy set.

I have previously argued on the comment list that labelling each policy
as an access policy or administrative policy would improve the delegation
profile and resolve a number of issues surrounding category prefixing.
Such labelling would make it easy for the on-permit-apply-second
combining rule to tell the difference between access policies and
administrative policies.

Regards,
Steven