OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] policy subcommittee meeting on Dec. 10 - minutes

  • 1.  Re: [xacml] policy subcommittee meeting on Dec. 10 - minutes

    Posted 12-10-2001 20:15
    > For instance, suppose global policy P is defined as P=P1 OR
    > P2. Consider a request R, and suppose that P1 has a ``permit'' for R.
    > Would what P2 says make a difference for the overall decision? In
    > other words what if P2 has a ``deny'' for R? should it be different
    > from the case wher P2 does not have anything for R? (if so the
    > composition would become much more complicated and the evaluation
    > process less efficient as all the policies in an expression should be
    > evaluated always).
    
     >
    
    > There is general consensus among the people on the concall that policy
    > composition should operate on the decisions of the policy, not on the
    > rules in it. So whether P2 could have a negative response to the
    > request because of the absence of a ``permit'' for it or because of a
    > ``deny'' for it should not make a difference.
    
    
    i do not understand this, can someone please give an example?
    
    i only know of two methods that address conflict resolution:
    
    * explicit precedence ('allow except' or 'deny except')
    * order based evaluations for access control (order yields precedence)
    
    does the above fit in with one of these or are we considering another 
    approach?
    
    thanks
    
    b