Re: [xacml-dev] XACML 3.0 Combining Algorithms.

[David Brossard <david.brossard@axiomatics.com>]

Hi Junaid, Romain,

First of all, here is the official definition of what a combining algorithm is:

XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively.  The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules.  Similarly, the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies.

The correct names of the ones you mention are, according to the spec at http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.html in section B.9:

• deny-overrides
• urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides
  
• urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides
  
• permit-overrides
• urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
  
• urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides
  
• deny-unless-permit
• urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit
  
• urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit
  
• permit-unless-deny
• urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny
  
• urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
  

Note there is also ordered-deny-overrides and ordered-permit-overrides which impose the order of the evaluation of the children. deny-overrides and permit-overrides are vague about the order.

Appendix C describes the behavior of each combining algorithm. Here's a summary. In the case of an indeterminate, for deny-overrides and permit-overrides, then the evaluation stops.

• deny-overrides: in this case, if the first rule / policy returns Deny then the evaluation stops and the overall result is Deny.

		1. First choose the column below
2. Then choose the row		Permit	Deny	NotApplicable	Indeterminate
	Permit	Permit	Deny	Permit	Indeterminate
	Deny	Deny	Deny	Deny	Indeterminate
	NotApplicable	Permit	Deny	NotApplicable	Indeterminate
	Indeterminate	Indeterminate	Deny	Indeterminate	Indeterminate

• permit-overrides
  

Permit-overrides		1. First choose the column below
2. Then choose the row		Permit	Deny	NotApplicable	Indeterminate
	Permit	Permit	Permit	Permit	Indeterminate
	Deny	Permit	Deny	Deny	Indeterminate
	NotApplicable	Permit	Deny	NotApplicable	Indeterminate
	Indeterminate	Permit	Indeterminate	Indeterminate	Indeterminate

• deny-unless-permit
  

deny-unless-permit		1. First choose the column below
2. Then choose the row		Permit	Deny	NotApplicable	Indeterminate
	Permit	Permit	Permit	Permit	Permit
	Deny	Permit	Deny	Deny	Deny
	NotApplicable	Permit	Deny	Deny	Deny
	Indeterminate	Permit	Deny	Deny	Deny

• permit-unless-deny
  

Permit-unless-deny		1. First choose the column below
2. Then choose the row		Permit	Deny	NotApplicable	Indeterminate
	Permit	Permit	Deny	Permit	Permit
	Deny	Deny	Deny	Deny	Deny
	NotApplicable	Permit	Deny	Permit	Permit
	Indeterminate	Permit	Deny	Permit	Permit

I hope this helps,

David.

On Sun, Sep 15, 2013 at 10:25 PM, Romain Ferrari <romain.ferrari@gmail.com> wrote:

Hi,

If I recall override algorithm can imply not applicable result. "Unless" algorithms are always resulting in a deny or permit result. 

Regards

Romain Ferrari 

Le dimanche 15 septembre 2013, Junaid Sarfraz a écrit :

Dear all,

Can anyone explain the difference between " deny overrides permit " , " permit unless deny " and " permit overrides deny " , " deny unless permit ".

Regards,

Junaid

--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics