Skip to main content

XACML Rule combining algorithm

Definition

The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules

XACML rule combining algorithms is in charge to combine the decisions produced by different children of a parent policy (or policy set) into a single decision.

Rules

Soffid has implemented the follow rules:

Deny overrides

The deny orverrides algorithm is intended for those cases where a deny decision should have priority over a permit decision.

Permit overrides

The permit overrides algorithm is intended for those cases where a permit decision should have priority over a deny decision.

First applicable

The first applicable algorithm is intended for evaluate each rule in the order in which is listed in the policy. The algorithm runs through all the rules until in one the target matches and the condition to be evaluated is true. If no further rule in the order exists, then the policy shall evaluate to "NotApplicable".

Only one applicable

The only one applicable algorithm has three cases:

  • If only one policy is applicable, the result will be the result of evaluating the policy.
  • If there are not policies applicables the result will bw "NotApplicable".
  • If there are more than one policy applicable the result will be "Indeterminate".

Ordered deny overrides

The behavior of this algorithm is identical to the Deny overrides policy-combining algorithm with one exception. The order in which the collection of policies is evaluated shal match the order as listed in the policy set.

Ordered permit overrides

The behavior of this algorithm is identical to the Permit overrides policy-combining algorithm with one exception. The order in which the collection of policies is evaluated shall match the order as listed in the policy set.

 


https://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf