RE: [xacml] Updated policy template wiki

[Jean-Paul Buu-Sao <jean-paul.buu-sao@tscp.org>]

Ray,

"N" represent the number of distinct, and identifiable policy instances, that can be generated in use-cases 1a;
"n" represent the number of distinct, and identifiable policy instances, that can be generated in use-cases 1b;
"T" represents the number of distinct, and identifiable policy templates (I just introduced this quantity, for completeness)

In the context of Export Control policies, here are some possible numbers, for the sake of illustration:

The US Export Control policy authority will produce a limited number of "T" policy templates (T being in the order of 10's). There is large number 'N" of policy instances (N being in the order of 10000). However each organization would have to only consider a subset of "n" policy instances (n being in the order of 100).

In use-case 1a, the US Export Control policy authority generates all the export licenses, by selecting the appropriate template (amongst the T), and applying the "N" policy data (that we named policy-template data, to be more specific). This generates the "N" policy instances. This use-case is applicable if the policy authority needs to keep track of all licenses that are emitted.

In use-case 1b, organizations, which apply for an export license, provide their own "n" policy-template data, which, applied to one of the "T" templates, generates "n" policy instances. This use-case is applicable if the policy authority accepts that the exporter manages its own export license.

Jean-Paul

-----Original Message-----
From: Sinnema, Remon [mailto:remon.sinnema@emc.com] 
Sent: Wednesday, October 10, 2012 10:16
To: Jean-Paul Buu-Sao
Cc: xacml@lists.oasis-open.org
Subject: RE: [xacml] Updated policy template wiki

Hi Jean-Paul,


> -----Original Message-----
> From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On
> Behalf Of Jean-Paul Buu-Sao
> Sent: Wednesday, October 10, 2012 9:46 AM
> To: Erik Rissanen; Steven Legg
> Cc: Danny Thorpe; xacml@lists.oasis-open.org
> Subject: RE: [xacml] Updated policy template wiki
> 
> 1a) I have a very large number of policies (say, N > 10000) that are all
> identical, except for the constant values that contain in their access
rules.
> Every single one of these policies has a unique identity.
> 1b) We build one template which, given the correct dataset, can produce
the
> same N policy instances
> 
> Let now introduce the modality. There are two use-cases:
> 
> 2a) The policy authority uses the template mechanism to ease the
> production of the N policy instances, which are all produced before being
> distributed for execution. Organizations implementing the policy do not
see
> the policy template, only the N policy instances
> 2b) The policy authority distributes the its policy template to
organizations.
> Each organization need to supply n policy data (n is a small number,
typically
> between 1 and 100) which, combined with the policy template, produces n
> policy instances
> 
> The "iteration" can occur on either 2a or 2b (i.e. iterate through N
policy data,
> or through n policy data). Objective is to produce the N or n policy
instances.

I'm still confused.

What do N and n represent? Is the "policy data" in "N policy data" and "n
policy data" the same? If not, then please use different terms. Also,
something more specific than "data" would help me.


Thanks,
Ray