xacml-implement-guide-3.0-02-05.doc Details

Document Details     TC Member Document View
Title XACML Implementor's Guide Version 3.0
Name * XACML Implementor's Guide Version 3.0 (120K)
Description This is a first draft to re-establish the long-discussed Implementor's Guide, which was started early in the history of the TC: http://www.oasis-open.org/committees/xacml/repository/xacml-implement-guide-1.1.doc, but has not had attention directly paid to it in several years.

The reason for resurrecting it now is to explain the situation with the combining algorithms that has been discussed recently in the TC. The issues are subtle (and the doc has a ref in it that points to other efforts that have been made to address this issue, which I just "discovered", so it gives us a reference point for further exploration).

However, the description currently in the document is intended to fully explain the issue to implementors and users alike, and should be useful for fielding future questions about these algorithms as well as providing a platform for addressing additional aspects of the issue plus addressing other issues as well as the need and motivation to resolve arises.

At this point, the suggestion is to maintain the document in the manner of the original, and, as such it is written using the original as the basis and change bars are wrt original.
Group OASIS eXtensible Access Control Markup Language (XACML) TC
Folder repository
Submitter Rich Levinson
Date Submitted Monday, 30 May 2011 04:09pm
Document State Draft (A preliminary unapproved sketch, outline, or version.)
Access This document is visible to OASIS eXtensible Access Control Markup Language (XACML) TC and shared with:
  • OASIS Open (General Membership)
  • General Public

Document Revisions
Name # State Submitter Date Action
Rich Levinson
This doc
Rich Levinson

Subject & Text Submitter Date Action
Initial comment by submitter
This revision does not incorporate planned changes beyond wd-20, which will impact some of the combining alg discussion. Also, change bars not included because of some distracting problems, but can be available on request.

This revision does add explanatory discussion about the referenced paper, which may prove useful background, in general, to the changes that have been made to the combining algorithms in 3.0. It also explains what appears to have been a flaw in the reasoning of the authors of the reference, regarding the "6-valued approach", which is the approach used in 3.0, and appears at present to be correct.

In particular, the fundamental change is to remove the 2.0 self-contradiction about Ind, which was, for example in deny-overrides that D > Ind > P > Ind > NA at the Rule level, but that was lost at the Policy level, which resulted in scenarios where a Permit could be overridden by a Policy that could only return a Permit but was indeterminate, resulting in the return of a Deny, despite the fact that there was no possible way for Deny to be returned.

The new section explains the problems in the reference, and it explains w more clarity what the core model is for "combining".
Rich Levinson