OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] v14 Section 8: another rule combining algorithm

  • 1.  [xacml] v14 Section 8: another rule combining algorithm

    Posted 06-17-2002 15:31
    We have done considerable work to ensure that policies MAY be constructed in such a way that not all information needs to be retrieved in order to reach a decision. This is particularly important in a distributed scenario, where it may be relatively expensive to retrieve rules, policies, or policy combinations from remote sites. To support this, I propose including the following additional combining algorithm to Section 8 of v14: 8.2 Permit-overrides The following is a specification for the "permit-overrides" rule-combining algorithm. The identifier for this algorithm is given in Section Permit-overrides rule-combining algorithm. In the entire set of rules to be evaluated, if any of the rules evaluates to "permit", then the rule combination is defined to evaluate to "permit" (that is, "permit" takes precedence, regardless of how many rules evaluate to "deny" or "indeterminate", and causes the whole combination to return "permit"). If all of the rules found to be applicable to the request evaluate to "deny" or "indeterminate", then the rule combination is defined to evaluate to "deny". If none of the rules is found to be applicable to the request, the rule combination returns "notApplicable". What follows is a pseudocode representation of how the above specification MAY be implemented. This is provided for illustrative and explanatory purposes. effect policy(rule[]) { atLeastOneDenyOrIndeterminate = false; for( i=0; i<=noOfRules; i++) { if (rule[i] == permit) { return(permit); } if (rule[i] == indeterminate) { atLeastOneDenyOrIndeterminate = true; } if (rule[i] == deny) { atLeastOneDenyOrIndeterminate = true; } } if atLeastOneDenyOrIndeterminate { return(deny); } else { return(notApplicable); } } The following is a specification for the "permit-overrides" policy-combining algorithm. The identifier for this algorithm is given in Section Permit-overrides policy-combining algorithm. In the entire set of policies to be evaluated, if any of the policies evaluates to "permit", then the policy combination is defined to evaluate to "permit" (that is, "permit" takes precedence, regardless of how many policies evaluate to "deny" or "indeterminate", and causes the whole combination to return "permit"). If all of the policies found to be applicable to the request evaluate to "deny" or "indeterminate", then the policy combination is defined to evaluate to "deny". If none of the policies is found to be applicable to the request, the policy combination returns "notApplicable". What follows is a pseudocode representation of how the above specification MAY be implemented. This is provided for illustrative and explanatory purposes. effect policySet(policy[]) { atLeastOneDenyOrIndeterminate = false; for( i=0; i<=noOfPolicies; i++) { if (policy[i] == permit) { return(permit); } if (policy[i] == indeterminate) { atLeastOneDenyOrIndeterminate = true; } if (policy[i] == deny) { atLeastOneDenyOrIndeterminate = true; } } if atLeastOneDenyOrIndeterminate { return(deny); } else { return(notApplicable); } } Obligations of the individual policies SHALL be combined as described in Section Obligations. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692