Just for the illustration purpose, I scanned briefly the current version of OCL -- v1.4 (http://www.omg.org/cgi-bin/doc?formal/01-09-77) and tried to create an OCL equivalent of the psudo code accompanying the proposed resolution for PM-1-01-A (http://lists.oasis-open.org/archives/xacml/200203/msg00093.html). This is what I got:

GLOBAL DENY RULE COMBINER in an ad hoc Java-like language:

------------------------------------------ for <rule> in <ruleSet> { boolean atLeastOnePermit = false; effect = eval(<rule>); if (effect == "deny" || effect == "indeterminate") { return "deny"; } else if (effect == "permit") { atLeastOnePermit = true; } } if (atLeastOnePermit) { return "permit"; } else { return "not applicable"; }

-----------------------------------

GLOBAL DENY RULE COMBINER in OCL

----------------------------- package XACML context GlobalDenyRuleCombiner::combine(rules : RuleSet) : Effect post: if ruleSet.rule->exists(effect = Effect::deny or effect = Effect::indeterminate) then result = Effect::deny else if ruleSet.rule->exists(effect = Effect::permit) then result = Effect::permit else result = Effect::notapplicable endif endif endpackage

------------------------------ I'm sure there are some errors in my example. But this is just to give everybody else some idea about OCL. However, an OCL checker (http://www.klasse.nl/ocl/ocl-checker-text.html) that checks syntax exists and can be used for XACML work, I believe. Plus software vendors provide some support as well.

Unless there are any strong objections I propose to resolve issue PM-3-04 (Pseudo Code for Combiner Algorithms) with the following text:

Proposed Resolution: Object Constraint Language (OCL) v1.4, as specified in [OMG formal/01-09-77], should be used to describe any mandatory-to-implement combiner algorithms.

Regards Konstantin