[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] group representation and combine algorithm
On Oct 31, 2005, at 2:02 PM, Yair Sade wrote:
> [...]
> I want that specific rules that apply to specific user override the
> group
> rules. I can achieve that by ordering the specific subject rules
> before
> any-user rules and use first-applicable combining algorithm.
>
> However I want my rules to be handled in deny-override algorithm which
> contradicts the group handling algorithm.
If you use first-applicable, and then have a "fall through" Rule at
the end which always denies, does that get you what you need?
<Policy alg="first-applicable">
<Rule Effect="Permit">
[Applicable to user]
</Rule>
<Rule Effect="Permit">
[Applicable to group]
</Rule>
<Rule Effect="Deny"/>
</Policy>
Unless you've got something more complex than what I'm thinking about
(which is entirely likely <g>) I think this should act like deny-
overrides..
seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]