OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] NotApplicable and combining algs

  • 1.  Re: [xacml] NotApplicable and combining algs

    Posted 08-26-2004 14:50
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [xacml] NotApplicable and combining algs


    On Wed, 25 Aug 2004, Seth Proctor wrote:
    
    >
    > Sections 7.10 and 7.11 of draft 13 say that in all cases, if no
    > elements provided to a combining algorithm apply then the combining
    > algorithm always returns NotApplicable. Is that really what we want?
    
    Yes.
    
    > Shouldn't I be free to write a combining algorithm, for example, that
    > returns Deny if no elements apply?
    
    Of course, you can write combining algorithms that return Permit when
    everything states Deny. You are free to do what you want. There is nothing
    that stops you from doing that. However, I would think, that you would
    have to state the exact reasons for doing so.
    
    > I can think of many cases where this would be very useful (at the
    > top-level in a PDP and to replace fall-through Deny rules).
    
    Or fall thru Permit rules. :)
    
    In anycase, these are some of the guidelines to follow, and basically
    makes things work with some expectation of consistency. Much like the
    applicability predicate (target) of each rule, which states that the
    result of a rule is only combined if the target is true.
    
    > The reason I ask is twofold. First, I don't ever remember discussing
    > this issue, so I'm not sure if someone explicitly wanted to see this in
    > the spec or if it's just an oversight.
    
    No, it probably was discussed before you got on board. However, for the
    algorithms we have, the stated behavior is what we want. You can always
    right a PolicySet (or a default) rule that will get you what you want.
    
    > Second, I think it breaks the relationship shown on page 19, since it
    > implies that before a combining algorithm starts working with its
    > elements, something above it will already have checked applicability of
    > all elements.
    
    I don't see what "breaks" here. If you take that stance that you evaluate
    the applicability of each rule before evaluating and combining their
    results, and no rule is applicable, or whether you evaluate each rule's
    applicablilty predicate and if true, process the result, the end result
    should definately be the same.
    
    However, that doesn't stop you from defining a combining algorithm that in
    a sense, can throw all logic and integrity to the wind. Whether somebody
    wants to rely on it, is another story.
    
    > I think it's clear that we don't want that model.
    
    Well, I guess I won't speak for the group, but I want that model, which
    gives integrity and consistency to the logic, and has the ability to
    compose policies in an expected manor.
    
    > Basically, I think this is another case where we should say that the
    > combining algorithm decides, and it just so happnes that all the
    > standard algorithms return NotApplicable in this case.
    
    What's the use case, other than some convience?
    
    You can use the standard algorithms, and put "default" rules with true
    applicability predicates and true conditions, and get a never return
    NotApplicable result.
    
    
    > Yes? No? What do people think? Again, maybe fodder for discussion
    > tomorrow?
    
    Cheers,
    -Polar
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]