OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] [CR] New Section 7.x: Initial policy

  • 1.  Re: [xacml] [CR] New Section 7.x: Initial policy

    Posted 10-09-2002 20:02
    A PDP may encounter a situation where it finds multiple policies, despite our statement that it MUST NOT. I am trying to provide guidance for the implementer on how to handle this situation. A typical, skilled implementor known to me, who shall remain unnamed, wanted to know if he/she should write her/his implementation to *verify* that there is only one and what to return if more than one were encountered. So this is a real question that implementors want to know the answer to. -Anne On 8 October, Polar Humenn writes: Re: [xacml] [CR] New Section 7.x: Initial policy > Again, this is up to configuration of the PDP. You either say that the PDP > is represented by ONE and only ONE policy and leave it at that. > > If you go multiple Policy, then things are up for grabs. You are sort of > outlining a twist on the First Applicable combining algorithm with some > mandated configuration. > > But, there are no configuration interfaces for the PDP, so how can you > enforce what its configuration has to be? > > I suggest that we either say that a PDP is represented by ONE and only ONE > policy (of where everything is specified by XACML policy), or its up to > the configuration, and or its mangament interfaces, if it has any. > > -Polar > > On Tue, 8 Oct 2002, Anne Anderson wrote: > > > CR: Add new section to Chapter 7 to describe requirements on the > > initial policy used by the PDP. > > > > Rationale: clarify the requirements on initial policy. > > > > Text: > > > > 7.x Initial policy > > > > A PDP MUST have a means of obtaining either zero initial > > applicable policies or one initial applicable policy for a given > > <Request>. If the PDP has zero initial applicable policies, then > > the PDP MUST return a result of "NotApplicable". If the PDP has > > more than one initial applicable policy, then the PDP MUST return > > a result of "Indeterminate" (due to "Initial policy not unique"). > > If the PDP can determine a single initial applicable policy by > > assuming that there is only one, then the PDP MUST return the > > result of evaluating that policy. If the PDP is unable to > > determine whether there is only a single applicable policy (such > > as obtaining an "Indeterminate" result when comparing the > > <Request> against the <Target> of a policy candidate), then the > > PDP MUST return a result of "Indeterminate" (due to "Error in > > obtaining initial policy"). > > > > The single initial policy MAY be configured as part of the PDP. > > > > The single initial policy MAY be retrieved from among multiple > > candidates from a repository, based on matching the <Request> > > against the <Target> elements of the candidates. There MUST be > > only one policy in the repository that will match any given > > <Request>. The PDP MUST be implemented to assume there is only > > one match, such that, if a candidate policy is found, no further > > search for candidates is performed. However, if multiple matches > > are unavoidably encountered by the implementation, then the PDP > > MUST return a result of "Indeterminate" (due to "Initial policy > > not unique"). > > > > The single initial policy MAY be constructed by the PIP based on > > a single configured Policy Combining Algorithm and a set of > > policies retrieved from among multiple candidates in a > > repository, based on matching the <Request> against the <Target> > > elements of the candidates. In this case, there MAY be more than > > one policy in the repository that matches a given <Request>. In > > this case, if the evaluation of the <Target> of any candidate > > policy returns a result of "Indeterminate", then that candidate > > policy MUST be included in the set of policies from which the > > single initial policy is constructed. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692