search

oasis-tcs / xacml-spec

OASIS XACML TC: List for tracking issues and features for the OASIS XACML TC. https://github.com/oasis-tcs/xacml-spec
Other
4 stars 1 forks source link

Make the n-of function determinate. #24

Open steven-legg opened 5 months ago

steven-legg commented 5 months ago

It really annoys me (in particular because it thwarts my attempts at efficient policy indexing) that the n-of function evaluates to Indeterminate if the first argument (an integer) is greater than the number of remaining Boolean arguments . Clearly something like 6 out of 5 (remaining arguments) can't be satisfied even if they are all True, so the overall result ought to be False rather than Indeterminate. The definition of the function is also quiet about N < 0. I would say that N <= 0 will always result in True.

The URI is:

urn:oasis:names:tc:xacml:1.0:function:n-of

A revised function could be added to both XACML 3.0 and XACML 4.0

urn:oasis:names:tc:xacml:3.0:function:n-of

and the old definition retained for backward compatibility.

humantypo commented 5 months ago

If I recall correctly, it was decided that Indeterminate was the appropriate response because the Policy is technically invalid and that since Policy validation was deemed an implementation issue, this was the only way to "call out" in the spec. Not advocating that we keep it that way, just context...