OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec

Since the spec doesn’t say how that policy combining algorithm is to be specified to the PDP (the spec doesn’t cover much of anything of PDP configuration), I think we have to consider it a vendor specific implementation detail.


To avoid having to create an external config setting in our PDP implementation, we simply require that the PDP be assigned exactly one policyset, so that the selection of combining algorithm is explicit and authored in the usual policy admin environment.




Danny Thorpe

Authorization Architect

Dell | Identity & Access Management, Quest Software


Quest Software is now part of Dell.


From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Hill, Richard C
Sent: Tuesday, June 25, 2013 1:34 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec


The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML TC list.


The XACML spec states:


7.17 Authorization decision

In relation to a particular decision request, the PDP is defined by a policy-combining algorithm and a set of policies and/or policy sets. The PDP SHALL return a response context as if it had evaluated a single policy set consisting of this policy-combining algorithm and the set of policies and/or policy sets.


Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If so, what is the policy-combining algorithm?


Let me walk through a scenario:


When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.


In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses?


- Richard Hill


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]