OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Re: Negative Policies

    Posted 09-20-2001 10:42
    my comments were directed at the implementation of rule #2 below. if
    'Bill' is the identity of the entity as known by the PDP, the 'universe'
    is bounded and is not reasonably subject to the issues you raised. on
    the other hand, i agree that #1, #3 and #4 are.
    
    b
    
    Hal Lockhart wrote:
    > 
    > I should have begun by saying that when I refer to negative policies, I am
    > actually referring to a number of different kinds of policies which have
    > different negative aspects. What they have in common is that they express
    > what is not the case rather than what is the case. Some of the problems I
    > have seen apply to all types of negative policies, some only apply to some
    > types. However because of the number of distinct types of problems I have
    > become wary of all types of negative policies.
    > 
    > Some examples of what I consider to be negative policies:
    > 
    > 1. under such and such conditions, the READ operation is not allowed.
    > 
    > 2. Bill is not allowed to do such and such
    > 
    > 3. Vice Presidents are not allowed to do such and such
    > 
    > 4. Such and such a policy does not apply to
    > http://www.example.com/my/files/*