Can policies set be deleted?

Question

Can policies set be deleted?

Opened this issue 7 years ago · 3 comments

After reading the paper "Multi-data-types Interval Decision Diagrams
for XACML Evaluation Engine", it is unclear to me how policies are to be removed. As far as I can tell, the modifications to the graph while adding new policies seems to be a one-way operation. Am I correct? If so, what kind of solution did you have in mind in case policies were to be removed. In access control, removing and updating policies is a must have.

Answer 1 · 2018-06-13T22:28:32.000Z

Hi @schnef,

Creating the graph from set of policies is similar to compiling source code to binary. Whenever you update your policy repository, you need to rebuild the graph again.

Regards,
Canh.

Answer 2 · 2018-06-14T07:48:06.000Z

That would in practice render using such a graph not very useful. Most systems probably face changes to the authorizations on a regular basis.

Answer 3 · 2018-06-14T08:51:24.000Z

IMO it depends on specific use-cases. I assume in practical, users don't update policies every second. as long as they're updated, a new graph is generated and cached for but policy evaluation. In this case throughput of authorization evaluation is optimized.

If your use-case needs many policy updates but does not require optimizing policy evaluation, this engine is not suitable.