Skip to main content

XACML Rule combining algorithm

Definition

The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules

XACML rule combining algorithms is in charge to combine the decisions produced by different children of a parent policy (or policy set) into a single decision.

Rules

Soffid has implemented the follow rules:

Deny overrides

The deny orverrides algorithm is intended for those cases where a deny decision should have priority over a permit decision.

Permit overrides

The pemit overrides algorith is intended for those cases where a permit decision should have priority over a deny decision.

First applicable

The first applicable algorith is intended for evaluate each rule in the order in which is listed in the policy. The algorithm runs through all the rules until in one the target matches and the condition to be evaluated is true. If no further rule in the order exists, then the policy shall evaluate to "NotApplicable".

Only one applicable

&&TODO&&

Ordered deny overrides

The behavior of this algorithm is identical to that of the Deny overrides policy-combining algorithm with one exception. The order in which the collection of policies is evaluated shal match the order as listed in the policy set.

Ordered permit overrides

The behavior of this algorithm is identical to that of the Permit overrides policy-combining algorithm with one exception. The order in which the collection of policies is evaluated shall match the order as listed in the policy set.