[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Question on Combining Alg
So I have an interesting question that I cannot find addressed in the spec. I feel silly even asking this, but:
How should combining algorithms be handled when there is both a policySet as well as a policy defined.
I take the example from the RSA interop example:
I take this to be read as "Always return DENY" since:
Policy 1 is evaluated, all rules are evaluated, and result is PERMIT ,
Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE
Policy Combiner deny-unless-permit is applied leaving result as DENY.
Policy Set combiner is evaluated deny-overrides : and since Policy 2 results in Deny, Even tho there is a a PERMIT from Policy 1, result should be DENY .
Can someone explain to me where I am misunderstanding?