Skip to main content

XACML Rule combining algorithm

Definition

The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules

XACML rule combining algorithms is in charge to combine the decisions produced by different children of a parent policy (or policy set) into a single decision.

Rules

Soffid has implemented the follow rules:

Deny overrides

The deny orverrides algorithm is intended for those cases where a deny decision should have priority over a permit decision.

Permit overrides

The pemit overrides algorith is intended for those cases where a permit decision should have priority over a deny decision.

First applicable

The first applicable algorith is intended for evaluate each rule in the order in which is listed in the policy. The algorithm runs through all the rules until in one the target matches and the condition to be evaluated is true. If no further rule in the order exists, then the policy shall evaluate to "NotApplicable".

Only one applicable

Ordered deny overrides

Ordered permit overrides

Back to top