Re: [xacml] Generalizing on-permit-apply-second

[Steven Legg <steven.legg@viewds.com>]

Hi Ray,

On 22/05/2013 5:31 PM, Sinnema, Remon wrote:
> Hi Steven,
>
>
> > -----Original Message-----
> > From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg
> > Sent: Wednesday, May 22, 2013 9:11 AM
> > To: Erik Rissanen
> > Cc: Bill Parducci; xacml@lists.oasis-open.org
> > Subject: Re: [xacml] Generalizing on-permit-apply-second
> >
> > It means a bit more policy set wrapping, but is more robust and easier to follow.
>
> I don't agree with that statement. There is a reason most programming languages have a "switch" or "case" construct in addition to "if".

Yeah, but those languages have a syntax to introduce the various parts of
the construct. All we have in a policy set is a list of policies and policy sets
(and references to same). The part each plays in the "switch" construct is solely
determined by position. Go to any policy in a big policy set and you won't know
what part it plays except by counting back to the beginning. At least with
nested on-permit-apply-second one only needs to count to three at most.

We're also talking about something more general that a switch or case because
we are applying a test at each second policy.

It's more like:

    if condition A
        policy set 2
    else if Condition B
        policy set 4
    else if Condition C
        policy set 6
    ...
    else
        policy set N

than

    switch (condition)
    case 1: policy set 2
    case 2: policy set 4
    case 3: policy set 6
    ...
    default: policy set N

Regards,
Steven

> Thanks,
> Ray