MHonArc v2.5.2 -->
















xacml message






[Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]








Subject: Re: [xacml] [schema] PDP response where no policy applies




From: Michiharu Kudoh <KUDO@jp.ibm.com>
To: XACML TC <xacml@lists.oasis-open.org>
Date: Sat, 27 Jul 2002 08:37:50 +0900







I have the same opinion. From PDP viewpoint, I think PDP should return
permit or deny as a final decision. So, this Indeterminate case would need
denial decision. I think this is a "default denial policy". (I think
default permit policy is too dangerous to implement but some application
may need that.) It would be wise to add some reason e.g."because of
indeterminate" as an advice (or as some status code). My thought is that
this is NOT mandatory to implement. Anyway it is helpful when you are
debugging the policy to see whether it is caused by insufficient target
matching or strict access denial. (I think we had discussed this topic long
time ago). If so, we need two different combination algorithms, one for
rules and another for policyStatement/policySetStatment that finally
returns denial.

Michiharu

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428




                                                                                                                                  
                      Anne Anderson                                                                                               
                      <Anne.Anderson@Su        To:       XACML TC <xacml@lists.oasis-open.org>                                    
                      n.com>                   cc:                                                                                
                                               Subject:  [xacml] [schema] PDP response where no policy applies                    
                      2002/07/27 03:23                                                                                            
                      Please respond to                                                                                           
                      Anne.Anderson                                                                                               
                                                                                                                                  
                                                                                                                                  



If absolutely none of its policies applies, then is the PDP
obligated to return Indeterminate(Inapplicable)?

If the PDP wants to return Deny if no policies apply, does it
have to define a base policy with a DenyOverrides rule?

We should spell this sort of behavior out in the spec.

Anne
--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>


















[Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]


  









Powered by eList eXpress LLC