[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Section 7.2 Base policy (was A single tree?)
I think "Section 7. Functional requirements", "7.2 Base policy" can be clarified. Here are the essential points: 1) PolicyCombiningAlgorithm is the only defined way for a PDP to deal with multiple PolicySet or Policy instances. This means the PDP's ultimate evaluation interface can only evaluate one PolicySet or Policy for a given Request. 2) We do not want to constrain where or how this one applicable PolicySet or Policy is created. It might be created by the policy authoring mechanism, by the policy storage mechanism, by the policy indexing mechanism, or by the policy retrieval mechanism. 3) For well-defined behavior, we need to define a default for the case where multiple Policy or PolicySet instances apply. Here is a suggested wording: A PDP SHALL evaluate only one Policy or PolicySet instance with respect to any given Request Context. This specification does not constrain how or when this single Policy or PolicySet is created, selected, retrieved, or represented. Among other solutions, a policy authoring and storage mechanism MAY ensure that there is only one applicable policy that can be retrieved for any given Request; or, a policy retrieval mechanism MAY construct a single PolicySet having a specified Policy Combining Algorithm dynamically from all applicable policies in the repository. If for some reason more than one Policy or PolicySet is applicable to a given Request at the point where the Policy or PolicySet instances must be evaluated by the PDP, the default behavior of the PDP SHALL be to return a result of "Indeterminate". Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]