So I have an interesting question that I cannot find addressed in the spec. I feel silly even asking this, but:
How should combining algorithms be handled when there is both a policySet as well as a policy defined.
I take the example from the RSA interop example:
<PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
I take this to be read as "Always return DENY" since:
Policy 1 is evaluated, all rules are evaluated, and result is PERMIT ,
Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE
Policy Combiner deny-unless-permit is applied leaving result as DENY.
Policy Set combiner is evaluated deny-overrides : and since Policy 2 results in Deny, Even tho there is a a PERMIT from Policy 1, result should be DENY .
Can someone explain to me where I am misunderstanding?
Thanx
Allan
--
Simplify Email: Email
Charter
 |
Allan Foster - ForgeRock Vice President Technology & Standards Office of the CTO Location: Vancouver, WA, US p: +1.360.229.7102 |
|
|
email: allan.foster@forgerock.com www: www.forgerock.com www: www.forgerock.org blogs: blogs.forgerock.com/GuruAllan |
||