[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [schema] PDP response where no policy applies
I have the same opinion. From PDP viewpoint, I think PDP should return
permit or deny as a final decision. So, this Indeterminate case would need
denial decision. I think this is a "default denial policy". (I think
default permit policy is too dangerous to implement but some application
may need that.) It would be wise to add some reason e.g."because of
indeterminate" as an advice (or as some status code). My thought is that
this is NOT mandatory to implement. Anyway it is helpful when you are
debugging the policy to see whether it is caused by insufficient target
matching or strict access denial. (I think we had discussed this topic long
time ago). If so, we need two different combination algorithms, one for
rules and another for policyStatement/policySetStatment that finally
returns denial.
Michiharu
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson
<Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org>
n.com> cc:
Subject: [xacml] [schema] PDP response where no policy applies
2002/07/27 03:23
Please respond to
Anne.Anderson
If absolutely none of its policies applies, then is the PDP
obligated to return Indeterminate(Inapplicable)?
If the PDP wants to return Deny if no policies apply, does it
have to define a base policy with a DenyOverrides rule?
We should spell this sort of behavior out in the spec.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC