OASIS eXtensible Access Control Markup Language (XACML) TC

To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Yes, Table 5 assumes the existence of a rule in the policy. I think our extensive discussion last year of combining algorithms, which resulted in rewriting
the pseudo-code, reflects our current intent of relying exclusively on the combining-algorithm. I don’t see any reason to back away from that position, but whatever we do Table 5 must be adjusted.
 
To harmonize in the direction of combining-algorithm control, we would remove rows 2 and 3 of the table body, and put “Don’t Care” for all Rule values.
 
To say that a policy with no rules is “NotApplicable” we could remove the 1 st body row; change “All rule values are NotApplicable” in the 2 nd
body row to “No rules in policy”;  and change the existing 3 rd row to “Don’t care” under Rule values.
 
If we wanted the condition “All rule values not applicable” to result in “NotApplicable” even when the algorithm says “permit-unless-deny” or “deny-unless-permit”,
we would say “No rules in policy or all rules NotApplicable” = NotApplicable.
 
I prefer the first approach (rely exclusively on combining algorithm) because it introduces no special cases and therefore will cause the fewest surprises.
 
Regards,
--Paul
 



From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of rich levinson
Sent: Thursday, 23 February, 2012 14:58
To: xacml
Subject: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules"


 
To TC:

To collect the info from today's discussion, which was ref'd in the
Feb 9 minutes:

the "latest email" I thought Erik and I had agreement that a statement
would be made in the "implementor's guide" that a Policy w no Rules
may be ignored  by developers:
http://lists.oasis-open.org/archives/xacml/201202/msg00000.html
"It would seem to me that at a minimum, we could include
an advisory note to developers that a PDP may ignore
a Policy that contains no Rules, since there is no point
from a XACML functional perspective to provide any logic
to do anything specific with such Policies.

Such an approach would remove any questions from developers,
and could leave the schema unchanged."
During today's discussion, the notion was introduced that somehow a
combining algorithm could effectively introduce a decision despite the
fact that there were no Rules in the Policy.

However, I think that interpretation is wrong for the following reason.
For Policy evaluation, we have to refer to section 7.11 "Policy Evaluation".
According to Table 5 there, the following is normative behavior:
The policy truth table is shown in Table 5.




Target


Rule values


Policy Value




“Match”


At least one rule value is its Effect


Specified by the rule-combining algorithm




“Match”


All rule values are “NotApplicable”


“NotApplicable”




“Match”


At least one rule value is “Indeterminate”


Specified by the rule-combining algorithm




“No-match”


Don ? t care


“NotApplicable”




“Indeterminate”


Don ? t care


“Indeterminate”




Table 5 Policy truth table
I think we can agree that the Target is a "Match", since, by section 7.7, even

an empty Target matches any request.

Also, I think that rows 1 and 3 that begin with "At least one rule ..." do
not apply since there are "zero Rules" in the use case we are discussing.
Since those rows are the only places that cause the rule-combining
algorithm to  be invoked, I think we can assume that even combining
algorithms, such as "Deny-unless -permit" (section C.6) or
"Permit-unless-deny" (section C.7) will not get invoked.

Therefore, the only thing that is left is row 2, which states:
"All Rule values are "NotApplicable"". I believe this statement
is TRUE, because in order to be false there must be at least
one Rule which has a value other than "NotApplicable", which
is FALSE, and therefore the statement is TRUE.

Therefore, a Policy w no Rules must evaluate to NotApplicable.
QED. :)

    Thanks,
    Rich

Hi Paul, As I recall the extensive discussions on the combining algorithms last year had to do w correcting some inconsistencies and unnecessary gaps based on the handling of Indeterminates that was in 2.0. Also this is not a matter of exclusively relying on combining algorithms vs policy or rule evaluation. The policy and rule evaluation provides the inputs to the combining algorithms. Basically, what the table says is no Rules means NotApplicable, as explained in previous email. I agree that there has always been a notion of biased evaluation, where a final answer of either Permit or Deny is required as opposed to returning Indeterminate or NotApplicable. My understanding is that this is the purpose of the Deny-unless-permit and Permit-unless-deny combining algorithms. As such, in order to allow this special case of zero Rules to exist, I think it would be reasonable to say that a Policy with zero Rules is equivalent to a Policy with one Rule that always evaluates to NotApplicable. i.e. we can define default inputs to the combining algorithm in the absence of any explicit input from the Policy itself, which I think is a reasonable interpretation of the current contents of Table 5. Bottom line: I see no reason why Table 5 needs to be changed as it already appears to cleanly specify the case we have been discussing, except that it needs a vehicle for sending the NotApplicable to the combining algorithm in the absence of any physical Rule.     Thanks,     Rich On 2/23/2012 4:17 PM, Tyson, Paul H wrote: Yes, Table 5 assumes the existence of a rule in the policy. I think our extensive discussion last year of combining algorithms, which resulted in rewriting the pseudo-code, reflects our current intent of relying exclusively on the combining-algorithm. I don’t see any reason to back away from that position, but whatever we do Table 5 must be adjusted.   To harmonize in the direction of combining-algorithm control, we would remove rows 2 and 3 of the table body, and put “Don’t Care” for all Rule values.   To say that a policy with no rules is “NotApplicable” we could remove the 1 st body row; change “All rule values are NotApplicable” in the 2 nd body row to “No rules in policy”;  and change the existing 3 rd row to “Don’t care” under Rule values.   If we wanted the condition “All rule values not applicable” to result in “NotApplicable” even when the algorithm says “permit-unless-deny” or “deny-unless-permit”, we would say “No rules in policy or all rules NotApplicable” = NotApplicable.   I prefer the first approach (rely exclusively on combining algorithm) because it introduces no special cases and therefore will cause the fewest surprises.   Regards, --Paul   From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of rich levinson Sent: Thursday, 23 February, 2012 14:58 To: xacml Subject: [xacml] Comment on issue 8? choice element or Policy w no Rules   To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don ? t care “NotApplicable” “Indeterminate” Don ? t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Rich, You are reading an old version of the spec. The current table looks like this: Target    Rule values     Policy Value “Match”    Don’t care    Specified by the rule-combining algorithm “No-match”    Don’t care    “NotApplicable” “Indeterminate”    See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Best regards, Erik On 2012-02-23 21:58, rich levinson wrote: To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Erik, From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Erik Rissanen Sent: Friday, February 24, 2012 10:12 AM To: xacml@lists.oasis-open.org Subject: Re: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules" > The current table looks like this: > > Target    Rule values     Policy Value > “Match”    Don’t care    Specified by the rule-combining algorithm > “No-match”    Don’t care    “NotApplicable” > “Indeterminate”    See Table 7 See Table 7 > > The change was introduced in wd 20 in order to make sure the new combining algorithms were always > invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since > this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Granted, but it's more confusing to me that a Policy without any Rules has any impact on the decision at all. BTW, section 3.3, Policy Language Model, states that a Policy should have 1..* Rules. Oddly, this section states that a PolicySet should have 0..* Policies. Thanks, Ray

See comments below. >
Original Message----- > From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On > Behalf Of remon.sinnema@emc.com > Sent: Friday, 24 February, 2012 07:48 > To: erik@axiomatics.com > Cc: xacml@lists.oasis-open.org > Subject: RE: [xacml] Comment on issue 8? "choice element" or "Policy w > no Rules" > > Erik, > > > From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On > Behalf Of Erik Rissanen > Sent: Friday, February 24, 2012 10:12 AM > To: xacml@lists.oasis-open.org > Subject: Re: [xacml] Comment on issue 8? "choice element" or "Policy w > no Rules" > > > The current table looks like this: > > > > Target    Rule values     Policy Value > > “Match”    Don’t care    Specified by the rule-combining algorithm > > “No-match”    Don’t care    “NotApplicable” > > “Indeterminate”    See Table 7 See Table 7 > > > > The change was introduced in wd 20 in order to make sure the new > combining algorithms were always > > invoked. It would be confusing if a policy with permit-unless-deny > could return not-applicable since > > this algorithm was specifically introduced to guarantee that N/A or > Indeterminate are never returned. > > Granted, but it's more confusing to me that a Policy without any Rules > has any impact on the decision at all. [pht] I agree it is initially confusing, but once you understand that the combining algorithm controls the final result, regardless of the syntactic content (or even, in some cases, the evaluated results of the content), it is the most consistent way to specify the behavior. > > BTW, section 3.3, Policy Language Model, states that a Policy should > have 1..* Rules. Oddly, this section states that a PolicySet should > have 0..* Policies. [pht] This should be corrected if it differs from the schema. > > > Thanks, > Ray

On 2012-02-24 14:48, remon.sinnema@emc.com wrote: Erik, From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Erik Rissanen Sent: Friday, February 24, 2012 10:12 AM To: xacml@lists.oasis-open.org Subject: Re: [xacml] Comment on issue 8? "choice element" or "Policy w no Rules" The current table looks like this: Target Rule values Policy Value “Match” Don’t care Specified by the rule-combining algorithm “No-match” Don’t care “NotApplicable” “Indeterminate” See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Granted, but it's more confusing to me that a Policy without any Rules has any impact on the decision at all. Hi Ray, I would also think it this is pretty confusing: ;-) Empty policy, with permit-unless-deny -> N/A Add a rule to this policy, which does not match the request -> Permit BTW, section 3.3, Policy Language Model, states that a Policy should have 1..* Rules. Oddly, this section states that a PolicySet should have 0..* Policies. I think there probably has been confusion in the past about whether a policy should be allowed to be empty. In my opinion it is useful so an empty policy can be there as a place holder for future rules or as a special case result from an automatic process which constructs the policy. In the past at some meeting I think Hal said that the motivation for the 0..* for policyset has been this. I think that the same should apply to a policy. But since the schema looks a bit odd, it could be accidental. Best regards, Erik Thanks, Ray

Hi Erik, It looks to me like there has been a subtle shift of emphasis from the contents of the Policy determining the Decision to the combining algorithm becoming more active in coming to a Decision regardless of what's contained in the Policy. This is not necessarily a bad thing, but it is a shift of emphasis when considering Policy evaluation. In fact, it is probably a good thing, because the algorithm can clearly state what all the special cases are and we don't have to rely on a bottom up analysis of the individual Rules. So, the bottom line is that the value of a Policy is equal to either a value of NotApplicable or Indeterminate returned from Target evaluation, or a value determined by the rule-combining algorithm applied to a set of Rule nodes, which may have length 0->n. Personally, I think it is important in this situation that each combining algorithm explicitly state its intent wrt to 0-length arrays, or at least there should be an introductory section to the combining algorithm section that makes this situation clear. i.e. there is a specific argument passed to the combining algorithm (Node[] children, where Node can be either Rule or Policy) and the details of what this argument can contain and how the algorithm behaves based on that should be clear.     Thanks,     Rich On 2/24/2012 4:12 AM, Erik Rissanen wrote: Rich, You are reading an old version of the spec. The current table looks like this: Target    Rule values     Policy Value “Match”    Don’t care    Specified by the rule-combining algorithm “No-match”    Don’t care    “NotApplicable” “Indeterminate”    See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Best regards, Erik On 2012-02-23 21:58, rich levinson wrote: To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Hi again, Erik, One lingering question I have about your comment: It would be confusing if a policy with permit-unless-deny  could return not-applicable since this algorithm was specifically  introduced to guarantee that N/A or Indeterminate are  never returned. According to the table that you referred to in the current spec, that you included in your email, it appears to me that if the Target evaluates to No-Match or Indeterminate then the Policy can return NotApplicable or a variety of Indeterminate s. As usual, I expect I have missed something, but Table 5 looks pretty definitive to me.     Thanks,     Rich On 2/24/2012 12:08 PM, rich levinson wrote: Hi Erik, It looks to me like there has been a subtle shift of emphasis from the contents of the Policy determining the Decision to the combining algorithm becoming more active in coming to a Decision regardless of what's contained in the Policy. This is not necessarily a bad thing, but it is a shift of emphasis when considering Policy evaluation. In fact, it is probably a good thing, because the algorithm can clearly state what all the special cases are and we don't have to rely on a bottom up analysis of the individual Rules. So, the bottom line is that the value of a Policy is equal to either a value of NotApplicable or Indeterminate returned from Target evaluation, or a value determined by the rule-combining algorithm applied to a set of Rule nodes, which may have length 0->n. Personally, I think it is important in this situation that each combining algorithm explicitly state its intent wrt to 0-length arrays, or at least there should be an introductory section to the combining algorithm section that makes this situation clear. i.e. there is a specific argument passed to the combining algorithm (Node[] children, where Node can be either Rule or Policy) and the details of what this argument can contain and how the algorithm behaves based on that should be clear.     Thanks,     Rich On 2/24/2012 4:12 AM, Erik Rissanen wrote: Rich, You are reading an old version of the spec. The current table looks like this: Target    Rule values     Policy Value “Match”    Don’t care    Specified by the rule-combining algorithm “No-match”    Don’t care    “NotApplicable” “Indeterminate”    See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Best regards, Erik On 2012-02-23 21:58, rich levinson wrote: To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Hi Rich, You are right about that. I think of the target as something to whether to apply the policy at all. If it applies, then the combining algorithm happens. So, yes, my statement was incorrect regarding the policy as a whole. Typically one would put an open target in cases where one wants to eliminate all N/A or Indeterminates. But I do think this is the right way. It's simple and useful. It would get more complex if one took in the target into the combining algorithm, so it not only has to combine decisions from its children, but also the target. Best regards, Erik On 2012-02-25 00:28, rich levinson wrote: Hi again, Erik, One lingering question I have about your comment: It would be confusing if a policy with permit-unless-deny  could return not-applicable since this algorithm was specifically  introduced to guarantee that N/A or Indeterminate are  never returned. According to the table that you referred to in the current spec, that you included in your email, it appears to me that if the Target evaluates to No-Match or Indeterminate then the Policy can return NotApplicable or a variety of Indeterminate s. As usual, I expect I have missed something, but Table 5 looks pretty definitive to me.     Thanks,     Rich On 2/24/2012 12:08 PM, rich levinson wrote: Hi Erik, It looks to me like there has been a subtle shift of emphasis from the contents of the Policy determining the Decision to the combining algorithm becoming more active in coming to a Decision regardless of what's contained in the Policy. This is not necessarily a bad thing, but it is a shift of emphasis when considering Policy evaluation. In fact, it is probably a good thing, because the algorithm can clearly state what all the special cases are and we don't have to rely on a bottom up analysis of the individual Rules. So, the bottom line is that the value of a Policy is equal to either a value of NotApplicable or Indeterminate returned from Target evaluation, or a value determined by the rule-combining algorithm applied to a set of Rule nodes, which may have length 0->n. Personally, I think it is important in this situation that each combining algorithm explicitly state its intent wrt to 0-length arrays, or at least there should be an introductory section to the combining algorithm section that makes this situation clear. i.e. there is a specific argument passed to the combining algorithm (Node[] children, where Node can be either Rule or Policy) and the details of what this argument can contain and how the algorithm behaves based on that should be clear.     Thanks,     Rich On 2/24/2012 4:12 AM, Erik Rissanen wrote: Rich, You are reading an old version of the spec. The current table looks like this: Target    Rule values     Policy Value “Match”    Don’t care    Specified by the rule-combining algorithm “No-match”    Don’t care    “NotApplicable” “Indeterminate”    See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Best regards, Erik On 2012-02-23 21:58, rich levinson wrote: To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Rich, I just reviewed the combining algorithm specifications and they are all fine with empty input. They basically have a structure by which some state variables are set to default values, then a loop iterates over the children. In case there are no children, the loop body is never executed and the decision is returned based on the default state of the variables in the algorithm, and the decision is correct for each algorithm. So the normative descriptions are perfectly fine. What I will do is to add to the non-normative descriptions the special case of no children. Best regards, Erik On 2012-02-24 18:08, rich levinson wrote: Hi Erik, It looks to me like there has been a subtle shift of emphasis from the contents of the Policy determining the Decision to the combining algorithm becoming more active in coming to a Decision regardless of what's contained in the Policy. This is not necessarily a bad thing, but it is a shift of emphasis when considering Policy evaluation. In fact, it is probably a good thing, because the algorithm can clearly state what all the special cases are and we don't have to rely on a bottom up analysis of the individual Rules. So, the bottom line is that the value of a Policy is equal to either a value of NotApplicable or Indeterminate returned from Target evaluation, or a value determined by the rule-combining algorithm applied to a set of Rule nodes, which may have length 0->n. Personally, I think it is important in this situation that each combining algorithm explicitly state its intent wrt to 0-length arrays, or at least there should be an introductory section to the combining algorithm section that makes this situation clear. i.e. there is a specific argument passed to the combining algorithm (Node[] children, where Node can be either Rule or Policy) and the details of what this argument can contain and how the algorithm behaves based on that should be clear.     Thanks,     Rich On 2/24/2012 4:12 AM, Erik Rissanen wrote: Rich, You are reading an old version of the spec. The current table looks like this: Target    Rule values     Policy Value “Match”    Don’t care    Specified by the rule-combining algorithm “No-match”    Don’t care    “NotApplicable” “Indeterminate”    See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Best regards, Erik On 2012-02-23 21:58, rich levinson wrote: To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich

Rich, I also had a look at the non-normative descriptions, and they are also correct. They are written as if any decision is ... then ... and at the end there is otherwise the decision is NotApplicable . This means that they always fall back to the Otherwise... clause at the end for the case of no children. So they should be fine as they are. Could you please have a look at the text and let me know if you think this needs to be clarified any further, or whether we can leave it all like it is. Best regards, Erik On 2012-02-28 13:41, Erik Rissanen wrote: Rich, I just reviewed the combining algorithm specifications and they are all fine with empty input. They basically have a structure by which some state variables are set to default values, then a loop iterates over the children. In case there are no children, the loop body is never executed and the decision is returned based on the default state of the variables in the algorithm, and the decision is correct for each algorithm. So the normative descriptions are perfectly fine. What I will do is to add to the non-normative descriptions the special case of no children. Best regards, Erik On 2012-02-24 18:08, rich levinson wrote: Hi Erik, It looks to me like there has been a subtle shift of emphasis from the contents of the Policy determining the Decision to the combining algorithm becoming more active in coming to a Decision regardless of what's contained in the Policy. This is not necessarily a bad thing, but it is a shift of emphasis when considering Policy evaluation. In fact, it is probably a good thing, because the algorithm can clearly state what all the special cases are and we don't have to rely on a bottom up analysis of the individual Rules. So, the bottom line is that the value of a Policy is equal to either a value of NotApplicable or Indeterminate returned from Target evaluation, or a value determined by the rule-combining algorithm applied to a set of Rule nodes, which may have length 0->n. Personally, I think it is important in this situation that each combining algorithm explicitly state its intent wrt to 0-length arrays, or at least there should be an introductory section to the combining algorithm section that makes this situation clear. i.e. there is a specific argument passed to the combining algorithm (Node[] children, where Node can be either Rule or Policy) and the details of what this argument can contain and how the algorithm behaves based on that should be clear.     Thanks,     Rich On 2/24/2012 4:12 AM, Erik Rissanen wrote: Rich, You are reading an old version of the spec. The current table looks like this: Target    Rule values     Policy Value “Match”    Don’t care    Specified by the rule-combining algorithm “No-match”    Don’t care    “NotApplicable” “Indeterminate”    See Table 7 See Table 7 The change was introduced in wd 20 in order to make sure the new combining algorithms were always invoked. It would be confusing if a policy with permit-unless-deny could return not-applicable since this algorithm was specifically introduced to guarantee that N/A or Indeterminate are never returned. Best regards, Erik On 2012-02-23 21:58, rich levinson wrote: To TC: To collect the info from today's discussion, which was ref'd in the Feb 9 minutes: the latest email I thought Erik and I had agreement that a statement would be made in the implementor's guide that a Policy w no Rules may be ignored  by developers: http://lists.oasis-open.org/archives/xacml/201202/msg00000.html It would seem to me that at a minimum, we could include an advisory note to developers that a PDP may ignore a Policy that contains no Rules, since there is no point from a XACML functional perspective to provide any logic to do anything specific with such Policies. Such an approach would remove any questions from developers, and could leave the schema unchanged. During today's discussion, the notion was introduced that somehow a combining algorithm could effectively introduce a decision despite the fact that there were no Rules in the Policy. However, I think that interpretation is wrong for the following reason. For Policy evaluation, we have to refer to section 7.11 Policy Evaluation . According to Table 5 there, the following is normative behavior: The policy truth table is shown in Table 5. Target Rule values Policy Value “Match” At least one rule value is its Effect Specified by the rule-combining algorithm “Match” All rule values are “NotApplicable” “NotApplicable” “Match” At least one rule value is “Indeterminate” Specified by the rule-combining algorithm “No-match” Don?t care “NotApplicable” “Indeterminate” Don?t care “Indeterminate” Table 5 Policy truth table I think we can agree that the Target is a Match , since, by section 7.7, even an empty Target matches any request. Also, I think that rows 1 and 3 that begin with At least one rule ... do not apply since there are zero Rules in the use case we are discussing. Since those rows are the only places that cause the rule-combining algorithm to  be invoked, I think we can assume that even combining algorithms, such as Deny-unless -permit (section C.6) or Permit-unless-deny (section C.7) will not get invoked. Therefore, the only thing that is left is row 2, which states: All Rule values are NotApplicable . I believe this statement is TRUE, because in order to be false there must be at least one Rule which has a value other than NotApplicable , which is FALSE, and therefore the statement is TRUE. Therefore, a Policy w no Rules must evaluate to NotApplicable. QED. :)     Thanks,     Rich