OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] [CR] Add Default-deny policy combination algorithm

  • 1.  Re: [xacml] [CR] Add Default-deny policy combination algorithm

    Posted 08-22-2002 16:17
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [CR] Add Default-deny policy combination algorithm


    
    See below:
    
    
    On Thu, 22 Aug 2002, Anne Anderson wrote:
    
    > Add normative, mandatory-to-implement Default-deny policy
    > combination algorithm.
    >
    > Text to be added as new section in Appendix C.
    >
    > The following specification defines the "Default Deny" policy
    > combining algorithm of a policy set.
    >
    >    In the entire set of policies to be evaluated, if any policy
    >    evaluates to Deny, then the result of the policy combination
    >    shall be Deny.  In other words, Deny takes precedence,
    >    regardless of the result of evaluating any of the other
    >    policies in the combination.  If all policies are found not to
    >    be applicable to the request, the policy combination returns
    >    Deny.  If there is any error evaluating the target of a
    >    policy, or a reference to a policy is considered invalid, or
    >    the policy evaluation results in Indeterminate, then the
    >    result of the combination shall be Deny.
    >
    > The following pseudo code represents the evaluation strategy of
    > this policy-combining algorithm.
    >
    >    Decision defaultDenyPolicyCombiningAlgorithm(Policy policies[])
    >    {
    >        Boolean atLeastOnePermit = false;
    >        for ( i=0 ; i < lengthOf(policies) ; i++ )
    >        {
    >            Decision decision = evaluate(policies[i]);
    >            if (decision == Deny)
    >            {
    >                return Deny;
    >            }
    >            if (decision == Permit)
    >            {
    >                atLeastOnePermit = true;
    >                continue;
    >            }
    >            if (decision == NotApplicable)
    >            {
    >                continue;
    >            }
    >            if (decision == Indeterminate)
    >            {
    >                return Deny;
    >            }
    >        }
    >        if (atLeastOnePermit)
    >        {
    >            return Permit;
    >        }
    >        return NotApplicable;
    
    I think you meant this to be
    
             return Deny;
    
    >    }
    >
    > Obligations of the individual policies shall be combined as
    > described in Section "Obligations."
    >
    > Rationale:
    >
    >    [The Bill Parducci Memorial Combination Algorithm] At the top
    >    level, a PDP may want to return Deny where  Deny-Overrides
    >    would have returned NotApplicable.  In other words, the PDP
    >    will return Deny unless the request is explicitly permitted
    >    and not explicitly denied.
    >
    >    This combination algorithm may be used with underlying
    >    algorithms of either Permit-Overrides or Deny-Overrides to
    >    convert Indeterminate or NotApplicable results to Deny.
    >
    > Anne
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    >
    >
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC