OASIS eXtensible Access Control Markup Language (XACML) TC

View Only

Back to discussions

Expand all | Collapse all

[xacml] Syntax and semantics for an applicable policy

1. [xacml] Syntax and semantics for an applicable policy

Recommend
Anne Anderson
Posted 02-14-2002 14:56
I propose that an <applicablePolicy> be the unit of evaluation. It consists of the following basic elements: <applicablePolicy> <subject> optional simple R.E. that subject must match </subject> <resource> optional simple R.E. that resource must match </resource> <action> optional simple R.E. that action must match </action> <additionalConditions>[optional arbitrary boolean expression]</addtionalConditions> <policy> [arbitrary combinator expression that can reference other applicablePolicies] </policy> </applicablePolicy> A referencedPolicy is evaluated as follows: 1. If <subject> condition exists, evaluate it. If false, return not-applicable . If error (should not occur), return error . 2. If <resource> condition exists, evaluate it. If false, return not-applicable . If error (should not occur), return error . 3. If <action> condition exists, evaluate it. If false, return not-applicable . If error (should not occur), return error . 4. If <additionalConditions> exist, evaluate them. If result is not true, return result. 5. Evaluate policy. Return result. Vendors that want to index policies can index on the <subject>, <resource>, or <action> (or more than one) element. A missing <subject> element means potentially applies to all subjects , etc. Simon's rules can be expressed using this syntax. To make the combinator expression semantics clear, I propose we use combinator attributes such as <AND not-applicable=ignore error=false> where the options for not-applicable or error are ignore , true , false , propagate , error , or not-applicable . Ignore means eliminate any not-applicable referenced policies from the expression before evaluating. Propagate means if a not-applicable or error is encountered, then the result of the entire combinator expression immediately becomes not-applicable or error . not-applicable=error means treat a not-applicable referencedpolicy as an error. error=not-applicable means treat a referencedPolicy that returns error as not-applicable. I don't think all combinations of attribute values are very meaningful, but we would know how to evaluate. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692

OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Syntax and semantics for an applicable policy

1. [xacml] Syntax and semantics for an applicable policy

Contact Us

Membership

Privacy & Terms

OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Syntax and semantics for an applicable policy

1. [xacml] Syntax and semantics for an applicable policy

Related Content

[xacml] Problem with treating INDETERMINATE as FALSE

Proposed functional enhancement - Optional return of policy idsof policies applicable to request

[xacml] Combinators

FW: [xacml] Proposed functional enhancement - Optional return of policy ids of policies applicable to request

How to treat errors in current ODF 1.3 ?

Contact Us

Membership

Privacy & Terms