OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec

The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.


The XACML spec states:


7.17 Authorization decision

In relation to a particular decision request, the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets. The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets.


Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?


Let me walk through a scenario:


When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.


In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?


- Richard Hill


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]