Re: [xacml] [CR] Add Default-deny policy combination algorithm

    Posted 08-22-2002 15:02
    Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm

    If we add that, we should probably add the analogous "Default-permit"
    algorithm as well to keep it semmetric.
    As for the First Applicable, the last rule can be written to handle any
    default. (Convenient, eh? :)
    On Thu, 22 Aug 2002, Anne Anderson wrote:
    > Add normative, mandatory-to-implement Default-deny policy
    > combination algorithm.
    > Text to be added as new section in Appendix C.
    > The following specification defines the "Default Deny" policy
    > combining algorithm of a policy set.
    >    In the entire set of policies to be evaluated, if any policy
    >    evaluates to Deny, then the result of the policy combination
    >    shall be Deny.  In other words, Deny takes precedence,
    >    regardless of the result of evaluating any of the other
    >    policies in the combination.  If all policies are found not to
    >    be applicable to the request, the policy combination returns
    >    Deny.  If there is any error evaluating the target of a
    >    policy, or a reference to a policy is considered invalid, or
    >    the policy evaluation results in Indeterminate, then the
    >    result of the combination shall be Deny.
    > The following pseudo code represents the evaluation strategy of
    > this policy-combining algorithm.
    >    Decision defaultDenyPolicyCombiningAlgorithm(Policy policies[])
    >    {
    >        Boolean atLeastOnePermit = false;
    >        for ( i=0 ; i < lengthOf(policies) ; i++ )
    >        {
    >            Decision decision = evaluate(policies[i]);
    >            if (decision == Deny)
    >            {
    >                return Deny;
    >            }
    >            if (decision == Permit)
    >            {
    >                atLeastOnePermit = true;
    >                continue;
    >            }
    >            if (decision == NotApplicable)
    >            {
    >                continue;
    >            }
    >            if (decision == Indeterminate)
    >            {
    >                return Deny;
    >            }
    >        }
    >        if (atLeastOnePermit)
    >        {
    >            return Permit;
    >        }
    >        return NotApplicable;
    >    }
    > Obligations of the individual policies shall be combined as
    > described in Section "Obligations."
    > Rationale:
    >    [The Bill Parducci Memorial Combination Algorithm] At the top
    >    level, a PDP may want to return Deny where  Deny-Overrides
    >    would have returned NotApplicable.  In other words, the PDP
    >    will return Deny unless the request is explicitly permitted
    >    and not explicitly denied.
    >    This combination algorithm may be used with underlying
    >    algorithms of either Permit-Overrides or Deny-Overrides to
    >    convert Indeterminate or NotApplicable results to Deny.
    > Anne
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    > ----------------------------------------------------------------
