Title: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE > Each boolean function should have a proper result of True or False. Then > there is no problem. (1 divide 0) GT (INF plus NAN) ? > That should be part of a recombination algorithm - how you prioritize > - for that you need a way to communicate such an evaluation result. > As for scalability - if you need to evaluate a zillion rules, you may > want to recombine results from several PDP, each dealing with part of > the policy - say #1, #2, #3 say N/A, as they have no rules for the > subject, #4 says GRANT, #5 says ERROR, but #5 is the one handling DENY > rules. If it says N/A, I am not sure it is what we want to have.. > Well, our current model, in your example, policies 1,2,3, and 5 would say > Indeterminate, while #4 says Permit. However, if #5, by some crystal ball, > may return a Deny. If that is really your intent, then you need to wrap > the combination of policies with the Bill Parducci Policy Combinator which > only gives yields Permit if every policy evaluates to Permit. But if #5 has no PERMIT effect rules?