In order to prevent increased privileges due to lack of information (problem described in previous mailing), I propose the following semantics for various operators of particular interest: A. urn:oasis:names:tc:XACML:0.15i:operators:not 1) Order of evaluation: Not applicable. Only one operand permitted. 2) When does evaluation terminate: when any one of the following conditions holds: a) The evaluated operand returns TRUE b) The evaluated operand returns FALSE c) The evaluated operand returns INDETERMINATE 3) What result is returned: 2a) FALSE 2b) TRUE 2c) INDETERMINATE B. urn:oasis:names:tc:XACML:0.15i:operators:or 1) Order of evaluation: not specified. Operands may be evaluated in any order. 2) When does evaluation terminate: when any one of the following conditions holds: a) One evaluated operand returns TRUE b) All operands have been evaluated. i) And at least one operand returned INDETERMINATE ii) And all operands returned FALSE 3) What result is returned: 2a) TRUE 2bi) INDETERMINATE 2bii) FALSE C. urn:oasis:names:tc:XACML:0.15i:operators:orderedOr 1) Order of evaluation: Operands MUST be evaluated in the order specified. 2) When does evaluation terminate: when any one of the following conditions holds: a) One evaluated operand returns TRUE b) All operands have been evaluated. i) And at least one operand returned INDETERMINATE ii) And all operands returned FALSE 3) What result is returned: 2a) TRUE 2bi) INDETERMINATE 2bii) FALSE D. urn:oasis:names:tc:XACML:?:rulecombiningalgorithms:denyOverrides 1) Order of evaluation: not specified. Rules may be evaluated in any order. 2) When does evaluation terminate: when any one of the following conditions holds: a) One evaluated rule returns deny b) One evaluated rule returns indeterminate c) All rules have been evaluated i) And at least one rule returned PERMIT. ii) And all rules returned notApplicable 3) What result is returned: 2a) deny 2b) indeterminate 2ci) permit 2cii) notApplicable E. urn:oasis:names:tc:XACML:?:rulecombiningalgorithms:permitOverrides 1) Order of evaluation: not specified. Rules may be evaluated in any order. 2) When does evaluation terminate: when any one of the following conditions holds: a) One evaluated rule returns permit b) All rules have been evaluated i) And at least one rule returned indeterminate. ii) And all rules returned notApplicable 3) What result is returned: 2a) permit 2bi) indeterminate 2bii) deny F. urn:oasis:names:tc:XACML:?:policycombiningalgorithms:denyOverrides 1) Order of evaluation: not specified. Policies and policysets may be evaluated in any order. 2) When does evaluation terminate: when any one of the following conditions holds: a) One evaluated policy or policyset returns deny b) One evaluated policy or policyset returns indeterminate c) All policies and policysets have been evaluated i) And at least one policy or policyset returned PERMIT. ii) And all policies and policysets returned notApplicable 3) What result is returned: 2a) deny 2b) indeterminate 2ci) permit 2cii) notApplicable G. urn:oasis:names:tc:XACML:?:policycombiningalgorithms:permitOverrides 1) Order of evaluation: not specified. Policies and policysets may be evaluated in any order. 2) When does evaluation terminate: when any one of the following conditions holds: a) One evaluated policy or policyset returns permit b) All policies and policysets have been evaluated i) And at least one policy or policyset returned indeterminate. ii) And all policies and policysetsreturned notApplicable 3) What result is returned: 2a) permit 2bi) indeterminate 2bii) deny Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692