[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Question on Combining Alg
Hi All,
So I have an interesting question that I cannot find addressed in the spec. I feel silly even asking this, but:
How should combining algorithms be handled when there is both a policySet as well as a policy defined.
I take the example from the RSA interop example:
<PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
I take this to be read as "Always return DENY" since:
Policy 1 is evaluated, all rules are evaluated, and result is PERMIT ,
Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE
Policy Combiner deny-unless-permit is applied leaving result as DENY.
Policy Set combiner is evaluated deny-overrides : and since Policy 2 results in Deny, Even tho there is a a PERMIT from Policy 1, result should be DENY .
Can someone explain to me where I am misunderstanding?
Thanx
Allan
--
Simplify Email: Email Charter
Allan Foster - ForgeRock
Vice President Technology & Standards
Office of the CTO
Location: Vancouver, WA, US
p: +1.360.229.7102
email: allan.foster@forgerock.com
www: www.forgerock.com
www: www.forgerock.org
blogs: blogs.forgerock.com/GuruAllan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]