OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Question on Combining Alg

Hi Allan,

In your example, at the beginning, it seems like policy set, and the 2 policies are all siblings but later on we understand the 2 policies are in fact children of the policy set.

Assuming the latter, we have a parent PolicySet PS1 which contains 2 children: P1, and P2:

  • PS1: deny-overrides
    • P1: deny-unless-permit
    • P2: deny-unless-permit
P1 can yield either Deny (which masks Indeterminate and NotApplicable) or Permit
P2 can yield either Deny (which masks Indeterminate and NotApplicable) or Permit

This means that PS1 will yield a Permit if and only if both P1 and P2 yield Permit. This is a neat way of implementing a "greedy permit" behavior - where all children policies should trigger, and all should return permit.

Any other combination will make PS1 return Deny.

Does that make sense?


On Sun, Sep 8, 2013 at 1:12 PM, Allan Foster <allan.foster@forgerock.com> wrote:
Hi All,

So I have an interesting question that I cannot find addressed in the spec.  I feel silly even asking this,  but:

How should combining algorithms be handled when there is both a policySet as well as a policy defined.

I take the example from the RSA interop example:

<PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">

<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">

<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">

I take this to be read as "Always return DENY"  since:
Policy 1 is evaluated, all rules are evaluated, and result is PERMIT ,
Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE
        Policy Combiner deny-unless-permit is applied leaving result as DENY.

Policy Set combiner is evaluated  deny-overrides  : and since Policy 2 results in Deny,  Even tho there is a a PERMIT from Policy 1,  result should be DENY .

Can someone explain to me where I am misunderstanding?



Simplify Email: Email Charter

Allan Foster - ForgeRock
Vice President Technology & Standards
Office of the CTO
Location: Vancouver, WA, US
p: +1.360.229.7102
email: allan.foster@forgerock.com
www: www.forgerock.com
www: www.forgerock.org
blogs: blogs.forgerock.com/GuruAllan

David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]