[xacml] wd-20 policy evaluation description - Paul Tyson - org.oasis-open.lists.xacml

12 messages in org.oasis-open.lists.xacml[xacml] wd-20 policy evaluation descr...

From	Sent On	Attachments
Paul Tyson	May 26, 2011 9:47 am
Erik Rissanen	May 30, 2011 7:58 am
Tyson, Paul H	May 31, 2011 6:07 am
Erik Rissanen	May 31, 2011 7:57 am
Tyson, Paul H	May 31, 2011 8:39 am
remo...@emc.com	Jun 6, 2011 10:08 pm
Erik Rissanen	Jun 9, 2011 2:26 am
remo...@emc.com	Jun 10, 2011 12:51 am
Erik Rissanen	Jun 15, 2011 4:11 am
rich levinson	Jun 15, 2011 10:50 pm
Erik Rissanen	Jun 16, 2011 1:56 am
remo...@emc.com	Jun 16, 2011 2:10 am

Subject:	[xacml] wd-20 policy evaluation description
From:	Paul Tyson (phty...@sbcglobal.net)
Date:	May 26, 2011 9:47:02 am
List:	org.oasis-open.lists.xacml

Hi Erik & all

I appreciate and admire the work Erik has done to put these late changes on a complicated topic into the 3.0 spec. But there are a couple of things that I would like to discuss.

The reworded first paragraphs under 7.12 and 7.13 are not clear enough. Some of the wording from the previous version should be preserved, to make it clear that the Target determines applicability of the policy, while the combining algorithm applied to the Rule or Policy[Set] children determine the result. The wd-20 wording leaves open the interpretation that the Target participates in the combining algorithm.

For 7.12 opening paragraphs I propose:

"The value of a policy SHALL be determined by its contents, considered in relation to the contents of the request context.

"The policy's target SHALL be evaluated to determine the applicability of the policy. If the target evaluates to "Match" then the value of the policy SHALL be determined by evaluating the policy's rules according to the specified rule combining algorithm. If the target evaluates to "No match" then the value of the policy shall be "Not Applicable". If the target evaluates to "Indeterminate", then the value of the policy shall be determined as if the policy's rules were evaluated according to the specified rule combining algorithm, and then transforming the result according to Table 7 (Section 7.14)."

For 7.13:

"The value of a policy set SHALL be determined by its contents, considered in relation to the contents of the request context.

"The policy set's target SHALL be evaluated to determine the applicability of the policy set. If the target evaluates to "Match" then the value of the policy set SHALL be determined by evaluating the child policies and policy sets according to the specified policy combining algorithm. If the target evaluates to "No match" then the value of the policy set shall be "Not Applicable". If the target evaluates to "Indeterminate", then the value of the policy set shall be determined as if the child policies and policy sets were evaluated according to the specified policy combining algorithm, and then transforming the result according to Table 7 (Section 7.14)."

On another point: The clarification that extended indeterminate values shall not be returned from the top-level evaluation leaves me confused, if all it does is return plain Indeterminate. I probably still don't fully understand the extended intermediate indeterminate values, because I don't see where an "Indeterminate{P}" is ever construed as "Permit" or an "Indeterminate{D}" as "Deny". The various indeterminate flavors simply bubble up through the policy evaluation process without influencing the results (except that {P} or {D} might become {DP}). I thought the purpose was to reduce the incidence of indeterminacy when a missing attribute, if supplied, would not change the decision. I won't belabor this point, but if someone has a simple explanation I would appreciate it. Otherwise I will study it further.

Regards, --Paul

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets