[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] XACML 3.0 Combining Algorithms.
Hi Junaid, Romain,First of all, here is the official definition of what a combining algorithm is:XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies.
The correct names of the ones you mention are, according to the spec at http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.html in section B.9:
- deny-overrides
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides
- permit-overrides
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides
- deny-unless-permit
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit
- permit-unless-deny
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
Note there is also ordered-deny-overrides and ordered-permit-overrides which impose the order of the evaluation of the children. deny-overrides and permit-overrides are vague about the order.Appendix C describes the behavior of each combining algorithm. Here's a summary. In the case of an indeterminate, for deny-overrides and permit-overrides, then the evaluation stops.
- deny-overrides: in this case, if the first rule / policy returns Deny then the evaluation stops and the overall result is Deny.
1. First choose the column below 2. Then choose the row Permit Deny NotApplicable Indeterminate Permit Permit Deny Permit Indeterminate Deny Deny Deny Deny Indeterminate NotApplicable Permit Deny NotApplicable Indeterminate Indeterminate Indeterminate Deny Indeterminate Indeterminate
- permit-overrides
Permit-overrides 1. First choose the column below 2. Then choose the row Permit Deny NotApplicable Indeterminate Permit Permit Permit Permit Indeterminate Deny Permit Deny Deny Indeterminate NotApplicable Permit Deny NotApplicable Indeterminate Indeterminate Permit Indeterminate Indeterminate Indeterminate
- deny-unless-permit
deny-unless-permit 1. First choose the column below 2. Then choose the row Permit Deny NotApplicable Indeterminate Permit Permit Permit Permit Permit Deny Permit Deny Deny Deny NotApplicable Permit Deny Deny Deny Indeterminate Permit Deny Deny Deny
- permit-unless-deny
Permit-unless-deny 1. First choose the column below 2. Then choose the row Permit Deny NotApplicable Indeterminate Permit Permit Deny Permit Permit Deny Deny Deny Deny Deny NotApplicable Permit Deny Permit Permit Indeterminate Permit Deny Permit Permit I hope this helps,David.--On Sun, Sep 15, 2013 at 10:25 PM, Romain Ferrari <romain.ferrari@gmail.com> wrote:
Hi,If I recall override algorithm can imply not applicable result. "Unless" algorithms are always resulting in a deny or permit result.RegardsRomain Ferrari
Le dimanche 15 septembre 2013, Junaid Sarfraz a écrit :Dear all,Can anyone explain the difference between " deny overrides permit " , " permit unless deny " and " permit overrides deny " , " deny unless permit ".Regards,Junaid
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]