[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question on Combining Alg
Hi All, So I have an interesting question that I cannot find addressed in the spec. I feel silly even asking this, but: How should combining algorithms be handled when there is both a policySet as well as a policy defined. I take the example from the RSA interop example: <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"> <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"> <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"> I take this to be read as "Always return DENY" since: Policy 1 is evaluated, all rules are evaluated, and result is PERMIT , Policy 2 is evaluated, all rules are evaluated and result is NOT APPLICABLE Policy Combiner deny-unless-permit is applied leaving result as DENY. Policy Set combiner is evaluated deny-overrides : and since Policy 2 results in Deny, Even tho there is a a PERMIT from Policy 1, result should be DENY . Can someone explain to me where I am misunderstanding? Thanx Allan -- Simplify Email: Email
Charter
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]