OASIS eXtensible Access Control Markup Language (XACML) TC

All, The policy for test IIA002 [1] doesn't specify MustBePresent for the urn:oasis:names:tc:xacml:1.0:example:attribute:role attribute. According to section 7.2.5. Attribute Retrieval of the 2.0 spec, the default value for MustBePresent is "False", and therefore an empty bag should be returned for the attribute value. This will result in the one rule not matching and therefore a decision of NotApplicable. However, the expected response [2] is Permit, since the purpose of the test is to invoke the PIP [3]. I think this is a bug in the policy that should be fixed by adding MustBePresent="True". Thanks, Ray [1] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Policy.xml [2] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Response.xml [3] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Special.txt

Hi Remon, I believe that if the PDP is configured to retrieve certain attributes from a PIP, it will try to retrieve them regardless of the value of MustBePresent. In that case, the PIP would return an attribute and therefore the rule would match leading to a Permit. The conformance test here aims at testing the correct attribute retrieval via a PIP, not the effect of MustBePresent. If the PDP / PIP interaction fails or if the mapping is incorrect, an empty bag is returned indeed. That leads to NotApplicable which is correct. If MustBePresent were used, then the behavior would change in the sense that an empty bag would lead to Indeterminate being returned (as defined in the XACML 3.0 spec - section 5.29: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf ) and section 7.3.5 in particular. What do you reckon? David. On Wed, Jul 6, 2011 at 8:27 PM, < remon.sinnema@emc.com > wrote: All, The policy for test IIA002 [1] doesn't specify MustBePresent for the urn:oasis:names:tc:xacml:1.0:example:attribute:role attribute. According to section 7.2.5. Attribute Retrieval of the 2.0 spec, the default value for MustBePresent is "False", and therefore an empty bag should be returned for the attribute value. This will result in the one rule not matching and therefore a decision of NotApplicable. However, the expected response [2] is Permit, since the purpose of the test is to invoke the PIP [3]. I think this is a bug in the policy that should be fixed by adding MustBePresent="True". Thanks, Ray [1] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Policy.xml [2] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Response.xml [3] http://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIA002Special.txt --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- David Brossard, M.Eng, SCEA, CSTP Solutions Architect +46(0)760 25 85 75 Axiomatics AB Skeppsbron 40 S-111 30 Stockholm, Sweden http://www.linkedin.com/companies/536082 http://www.axiomatics.com http://twitter.com/axiomatics