OASIS eXtensible Access Control Markup Language (XACML) TC

Hi All, So I have an interesting question that I cannot find addressed in the spec.  I feel silly even asking this,  but: How should combining algorithms be handled when there is both a policySet as well as a policy defined. I take the example from the RSA interop example: <PolicySet PolicyCombiningAlgId= urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm: deny-overrides > <Policy RuleCombiningAlgId= urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm: deny-unless-permit > <Policy RuleCombiningAlgId= urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm: deny-unless-permit > I take this to be read as Always return DENY   since: Policy 1 is evaluated, all rules are evaluated, and result is PERMIT , Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE         Policy Combiner deny-unless-permit is applied leaving result as DENY. Policy Set combiner is evaluated  deny-overrides   : and since Policy 2 results in Deny,  Even tho there is a a PERMIT from Policy 1,  result should be DENY . Can someone explain to me where I am misunderstanding? Thanx Allan -- Simplify Email: Email Charter Allan Foster - Forge Rock Vice President Technology & Standards Office of the CTO Location: Vancouver, WA, US p: +1.360.229.7102 email: allan.foster@forgerock.com www: www.forgerock.com www: www.forgerock.org blogs: blogs.forgerock.com/GuruAllan

Hi Allan, In your example, at the beginning, it seems like policy set, and the 2 policies are all siblings but later on we understand the 2 policies are in fact children of the policy set. Assuming the latter, we have a parent PolicySet PS1 which contains 2 children: P1, and P2: PS1: deny-overrides P1: deny-unless-permit P2: deny-unless-permit P1 can yield either Deny (which masks Indeterminate and NotApplicable) or Permit P2 can yield either Deny (which masks Indeterminate and NotApplicable) or Permit This means that PS1 will yield a Permit if and only if both P1 and P2 yield Permit . This is a neat way of implementing a "greedy permit" behavior - where all children policies should trigger, and all should return permit. Any other combination will make PS1 return Deny. Does that make sense? Cheers, David. On Sun, Sep 8, 2013 at 1:12 PM, Allan Foster < allan.foster@forgerock.com > wrote: Hi All, So I have an interesting question that I cannot find addressed in the spec.  I feel silly even asking this,  but: How should combining algorithms be handled when there is both a policySet as well as a policy defined. I take the example from the RSA interop example: <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm: deny-overrides "> <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm: deny-unless-permit "> <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm: deny-unless-permit "> I take this to be read as "Always return DENY"  since: Policy 1 is evaluated, all rules are evaluated, and result is PERMIT , Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE         Policy Combiner deny-unless-permit is applied leaving result as DENY. Policy Set combiner is evaluated  deny-overrides   : and since Policy 2 results in Deny,  Even tho there is a a PERMIT from Policy 1,  result should be DENY . Can someone explain to me where I am misunderstanding? Thanx Allan -- Simplify Email: Email Charter Allan Foster - Forge Rock Vice President Technology & Standards Office of the CTO Location: Vancouver, WA, US p: +1.360.229.7102 email: allan.foster@forgerock.com www: www.forgerock.com www: www.forgerock.org blogs: blogs.forgerock.com/GuruAllan -- David Brossard, M.Eng, SCEA, CSTP Product Manager +46(0)760 25 85 75 Axiomatics AB Skeppsbron 40 S-111 30 Stockholm, Sweden http://www.linkedin.com/companies/536082 http://www.axiomatics.com http://twitter.com/axiomatics