XACML Rule combining algorithm
Definition
The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules
XACML rule combining algorithms is in charge to combine the decisions produced by different children of a parent policy (or policy set) into a single decision.
Rules
Soffid has implemented the following rules:
Deny overrides
The deny orverrides algorithm is intended for those cases where a deny decision should have priority over a permit decision.
Permit overrides
The permit overrides algorithm is intended for those cases where a permit decision should have priority over a deny decision.
First applicable
The first applicable algorithm is intended for evaluate each rule in the order in which is listed in the policy. The algorithm runs through all the rules until in one the target matches and the condition to be evaluated is true. If no further rule in the order exists, then the policy shall evaluate to "NotApplicable".
Only one applicable
The only one applicable algorithm has three cases:
- If only one policy is applicable, the result will be the result of evaluating the policy.
- If there are not policies applicables the result will be denied.
- If there are more than one policy applicable the result will be denied.
Ordered deny overrides
The behavior of this algorithm is identical to the Deny overrides policy-combining algorithm with one exception. The order in which the collection of policies is evaluated shal match the order as listed in the policy set.
Ordered permit overrides
The behavior of this algorithm is identical to the Permit overrides policy-combining algorithm with one exception. The order in which the collection of policies is evaluated shall match the order as listed in the policy set.
https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf