Indeterminate Decisions
Missing Attributes
In the previous section, we considered that an attribute value must either be True or False, which means that the Policy Information Point (PIP) must always be able to retrieve the value of an attribute. However, in some cases, the PIP can fail to deliver information, for instance if the database is corrupted, or even if the PIP is offline. In this case, the access control system needs to be able to include this information when evaluating the policy. In the following, we consider that an attribute value can be True, False, or Unknown.
Rule
The evaluation of a rule is updated to include the case where an attribute is Unknown.
R: Decision if Target
evaluates to:
Decision, ifTargetevaluates to TrueNot-ApplicableifTargetevaluates to FalseIndeterminate(D)ifTargetevaluates to Unknown andDecisionisDenyIndeterminate(P)ifTargetevaluates to Unknown andDecisionisPermit
The Boolean operators for target construction also need to include Unknown values. XACML uses the Strong Kleene logic, which tries to resolve the Unknown whenever possible.
| OR | True | False | Unknown |
|---|---|---|---|
| True | True | True | True |
| False | True | False | Unknown |
| Unknown | True | Unknown | Unknown |
| AND | True | False | Unknown |
|---|---|---|---|
| True | True | False | Unknown |
| False | False | False | False |
| Unknown | Unknown | False | Unknown |
Example
Let us now consider the previous example, but where attribute values can be Unknown. It is now possible for R1 to
evaluate to Indeterminate(D) and for R2 to evaluate to Indeterminate(P).
Try changing the OR to AND to explore the impact of Unknown on the logical operators.