Tim - I understand that both the deny_condition under <not> element and the
<deny> element means the same. But in some cases, it would be more
important to specify the denial rule more explicitly, in order to
facilitate readability of the policy rules mainly for the human policy
writers. Moreover I think that all SC members have agreed to the usefulness
of the denial rule after the long discussion. When people need to specify
denial rules, it would be nice to specify explicitly the "grant" semantic
basis in terms of exact specification. Considering the wide range of XACML
applications that the use case summary shows, I would prefer to specify
"grant" (or something like that) explicitly. I think this is consistent
with the ongoing policy model discussion.
Another aspect is that XACML users may want to extend the XACML semantic
basis according to their own policy definition. I think that Pierangela's
"only_if" semantic basis is one good example. Other people might think
another definition. My extensibility proposal also aims at these issues.
best regards,
Michiharu Kudo
From: Tim Moses <tim.moses@entrust.com> on 2001/12/04 04:19
Please respond to Tim Moses <tim.moses@entrust.com>
To: xacml <xacml@lists.oasis-open.org>
cc:
Subject: RE: [xacml] [policy-model] A Proposal
Michiharu - Thanks for this proposal on extensibility.� I suspect that we
will delay discussion of extensibility points until the model is settled.
However, it will become important at that time.
In the model, as currently described, we do not include separate elements
for "grant" and "deny".� Instead, the "deny" semantics are provided by
"and" and "not" ...
<and>
<predicate>grant_condition</predicate>
<not>
<predicate>deny_condition></predicate>
</not>
</and>
With this approach, no explicit grant element is required: if the
applicable policy evaluates TRUE, then the PDP may return the saml "permit"
status code.
All the best.� Tim.
-----------------------------------------
Tim Moses
Tel: 613.270.3183