[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec
Since the spec doesn’t say how that policy combining algorithm is to be specified to the PDP (the spec doesn’t cover much of anything of PDP configuration), I think we have to consider it a vendor specific implementation
detail. To avoid having to create an external config setting in our PDP implementation, we simply require that the PDP be assigned exactly one policyset, so that the selection of combining algorithm is explicit and authored
in the usual policy admin environment. -Danny Danny Thorpe
Authorization Architect
Dell
| Identity & Access Management, Quest Software Quest Software is now part of Dell. From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of Hill, Richard C The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I was unable to definitively answer, so I agreed to bring the question to the XACML
TC list. The XACML spec states: 7.17 Authorization decision
In relation to a particular
decision request, the PDP is defined by a policy-combining algorithm
and a set of policies and/or policy sets. The
PDP SHALL return a response context as if it had evaluated a single
policy set consisting of this policy-combining algorithm
and the set of policies and/or policy sets. Question: Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not explicitly defined? If
so, what is the policy-combining algorithm? Let me walk through a scenario: When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy
Set B. So, to me that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or policy set outside of that set (e.g.
Policy C) then it would be pulled in as part the evaluation of Policy A. In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the
sake of this scenario let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final verdict. Where does this
combining algorithm come from? Where is it defined? Is there a default combining algorithm that the PDP uses? - Richard Hill |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]