OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Request Clarification on section 7.17 Authz decision of the 3.0 Core Spec

Hi Richard,

On 26/06/2013 6:34 AM, Hill, Richard C wrote:
The TNC MAP Authorization focal ask for clarification regarding a section of the XACML core spec, in which I
was unable to definitively answer, so I agreed to bring the question to the XACML TC list.

The XACML spec states:

*7.17 Authorization decision *

In relation to a particular */decision request/*, the */PDP /*is defined by a */policy-combining algorithm
/*and a set of */policies /*and/or */policy sets/*. The */PDP /*SHALL return a response */context /*as if it
had evaluated a single */policy set /*consisting of this */policy-combining algorithm / *and the set of
*/policies /*and/or */policy sets/*.

*_Question:_*Does the PDP have a default/root PolicySet with a policy-combining algorithm even if it’s not
explicitly defined? If so, what is the policy-combining algorithm?

Let me walk through a scenario:

When a PDP receives an XACML request, the PDP looks for all applicable policies and policy sets (as
determined by section 5.6 Element <Target>). Let’s say it finds one Policy A and one Policy Set B. So, to me
that would mean that the “policy set” is made up of Policy A and Policy Set B ( Set={A,B}). It’s my
understanding that if, for example, Policy A has a PolicyReference or PolicySetReference to a policy or
policy set outside of that set (e.g. Policy C) then it would be pulled in as part the evaluation of Policy A.

In addition, Policy A and Policy Set B will each have their own combining algorithm and each will evaluate
to a single decision of either Permit, Deny, Indeterminate, or NotApplicable. For the sake of this scenario
let’s say Policy A decision = Permit and Policy Set B decision = Deny. Here is where I agree it becomes
fuzzy. The PDP can only return one decision and it must use a combining algorithm to determine the final
verdict. Where does this combining algorithm come from? Where is it defined? Is there a default combining
algorithm that the PDP uses?

In ViewDS the combining algorithm is part of the PDP configuration. It defaults
to deny-overrides if it is not explicitly set. We distinguish policy sets as
being either primary or secondary. The primary policy sets are evaluated and
combined according to the configured combining algorithm. The secondary policy
sets will be used only if referenced from another policy set that is evaluated.
Policies are all effectively secondary. Thus the PDP acts as though it has a
virtual policy set as the starting point with the configured combining algorithm
and all the primary policy sets as children.

When importing policy from a system that distinguishes one policy set as the
starting point, that policy set would be primary and all the rest would be
secondary. The default combining algorithm of deny-overrides becomes the
identity mapping when there is only one child/primary.


- Richard Hill

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]