MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: interior node <Result> elements for a hierarchy
We decided at the Face-to-Face that we could return <Result>
elements only for leaf nodes in a hierarchy. The reason was that
we thought the <Result> values for interior nodes could be
ambiguous otherwise.
Seth has convince me that this is not the case. I think our
decision was made when we were still exploring the possibility of
having a single evaluation cover multiple nodes in a Request,
where I think there is a possibility for ambiguity. Our current
proposal, which does not include this, does not have a problem
with interior nodes.
We have decided to retain the XACML 1.1 semantics that a Request
for multiple nodes SHALL be equivalent to the <Result> elements
produced by evaluating each requested node individually: i.e. the
fact. This means an unambiguous <Result> can be returned for
each node. For some types of hierarchy, an interior node will
get Permit only if all its children get Permit, or will get Deny
unless all its children get Permit, but this is up to the policy.
Unless someone gives me a good reason otherwise, I plan to
specify that a <Result> SHALL be returned for each requested node
in a hierarchy. This retains backwards compatibility with the
XACML 1.0/1.1 "scope" description.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]