OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Re: "else" is what ? Was:Re: [xacml] Generalizing on-permit-apply-second

On May 23, 2013, at 5:23 PM, Steven Legg <steven.legg@viewds.com> wrote:

> Hi Bill,
> On 24/05/2013 1:58 AM, Bill Parducci wrote:
>> If there is a condition in any given PolicySet that could preclude the inclusion of any another PolicySet, it seems that there would be the possibility of conflict. I have not thought about this in depth, but it seems possible that PolicySet A could have a condition that fires excluding PolicySet B which concurrently has a condition that fires, excluding PolicySet A.
> The only way I can see that being possible is if the policy sets include
> each other by reference, either directly or indirectly. Such a construction
> is an error according to the XACML core.
> As children of the same policy set with the on-permit-apply-second combining
> algorithm, only the first child has the power to exclude the second and/or
> third child. The second and third children can't exclude each other or the
> first child.
> Steven

Ok. So to make sure that I am fully grasping this, the proposal is that this new mechanism only applies to PolicySets (not Policies) and that these PolicySets will have a new requirement that Policy order is required to be maintained within them. Is this correct?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]