OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] [CR] Add Default-deny policy combination algorithm

  • 1.  [xacml] [CR] Add Default-deny policy combination algorithm

    Posted 08-22-2002 18:57
    Add normative, mandatory-to-implement Default-deny policy combination algorithm. Text to be added as new section in Appendix C. The following specification defines the "Default Deny" policy combining algorithm of a policy set. In the entire set of policies to be evaluated, if any policy evaluates to Deny, then the result of the policy combination shall be Deny. In other words, Deny takes precedence, regardless of the result of evaluating any of the other policies in the combination. If all policies are found not to be applicable to the request, the policy combination returns Deny. If there is any error evaluating the target of a policy, or a reference to a policy is considered invalid, or the policy evaluation results in Indeterminate, then the result of the combination shall be Deny. The following pseudo code represents the evaluation strategy of this policy-combining algorithm. Decision defaultDenyPolicyCombiningAlgorithm(Policy policies[]) { Boolean atLeastOnePermit = false; for ( i=0 ; i < lengthOf(policies) ; i++ ) { Decision decision = evaluate(policies[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { atLeastOnePermit = true; continue; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { return Deny; } } if (atLeastOnePermit) { return Permit; } return NotApplicable; } Obligations of the individual policies shall be combined as described in Section "Obligations." Rationale: [The Bill Parducci Memorial Combination Algorithm] At the top level, a PDP may want to return Deny where Deny-Overrides would have returned NotApplicable. In other words, the PDP will return Deny unless the request is explicitly permitted and not explicitly denied. This combination algorithm may be used with underlying algorithms of either Permit-Overrides or Deny-Overrides to convert Indeterminate or NotApplicable results to Deny. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692