[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Combinators
The three combinators are attached, which is exactly the text we had at the meeting. PermitOverrides DenyOverrides FirstApplicable Sorry, I thought I had sent them yesterday morning. Cheers, -Polar
Permit Overrides Decision Rule Combining Algorithm The following specification defines the "Permit Overrides" rule combining algorithm of a policy. In the entire set of rules to be evaluated, if any rule evaluates to Permit, then the result of the rule combination shall be Permit. If any rule evaluates to Deny and all other rules evaluate to NotApplicable, then the result of the combination shall be Deny. In other words, Permit takes precedence, regardless of the result of evaluating any of the other rules in the combination. If all rules are found not to be applicable to the request, then the rule combination returns NotApplicable. If there is any error evaluating the target or condition of a rule that contains an effect of Permit then the evaluation continues looking for a result of Permit. If no other rule evaluates to a Permit, then the result of the combination is Indeterminate. If at least one rule evaluates to Deny, all other rules that do not have evaluation errors evaluate to Deny or NotApplicable, and all rules that do have evaluation errors contain effects of Deny, then the result of the combination shall be Deny. The following pseudo code represents the evaluation strategy of this rule combining algorithm. Decision permitOverridesRuleCombiningAlgorithm(Rule rules[]) { Boolean atLeastOneError = false; Boolean potentialPermit = false; Boolean atLeastOneDeny = false; for( i=0 ; i < lengthOf(rules) ; i++ ) { Decision decision = evaluate(rules[i]); if (decision == Deny) { atLeastOneDeny = true; continue; } if (decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; if (effectOf(rules[i]) == Permit) { potentialPermit = true; } continue; } } if (potentialPermit) { return Indeterminate; } if (atLeastOneDeny) { return Deny; } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } Permit Overrides Decision Policy Combining Algorithm The following specification defines the "Permit Overrides" policy combining algorithm of a policy set. In the entire set of policies to be evaluated, if any any policy evaluates to Permit, then the result of the policy combination shall be Permit. In other words, Permit takes precedence, regardless of the result of evaluating any of the other policy in the combination. If all policies are found not to be applicable to the request, the policy combination returns NotApplicable. If there is any error evaluating the target of a policy, a reference to a policy is considered invalid, or the policy evalution results in Indeterminate, then the result of the combination shall be Indeterminate only if no other policies evaluate to Permit or Deny. The following pseudo code represents the evaluation strategy of this policy combining algorithm. Decision permitOverridesPolicyCombiningAlgorithm(Policy policies[]) { Boolean atLeastOneError = false; Boolean atLeastOneDeny = false; for( i=0 ; i < lengthOf(policies) ; i++ ) { Decision decision = evaluate(policies[i]); if (decision == Deny) { atLeastOneDeny = true; continue; } if (decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; continue; } } if (atLeastOneDeny) { return Deny; } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } Obligations of the individual policies shall be combined as described in Section "Obligations."
Deny Overrides Decision Rule Combining Algorithm The following specification defines the "Deny Overrides" rule combining algorithm of a policy. In the entire set of rules to be evaluated, if any rule evaluates to Deny, then the result of the rule combination shall be Deny. If any rule evaluates to Permit and all other rules evaluate to NotApplicable, then the result of the combination shall be Permit. In other words, Deny takes precedence, regardless of the result of evaluating any of the other rules in the combination. If all rules are found not to be applicable to the request, then the rule combination returns NotApplicable. If there is any error evaluating the target or condition of a rule that contains an effect of Deny then the evaluation continues looking for a result of Deny. If no other rule evaluates to a Deny, then the result of the combination is Indeterminate. If at least one rule evaluates to Permit, all other rules that do not have evaluation errors evaluate to Permit or NotApplicable, and all rules that do have evaluation errors contain effects of Permit, then the result of the combination shall be Permit. The following pseudo code represents the evaluation strategy of this rule combining algorithm. Decision denyOverridesRuleCombiningAlgorithm(Rule rules[]) { Boolean atLeastOneError = false; Boolean potentialDeny = false; Boolean atLeastOnePermit = false; for( i=0 ; i < lengthOf(rules) ; i++ ) { Decision decision = evaluate(rules[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { atLeastOnePermit = true; continue; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; if (effectOf(rules[i]) == Deny) { potentialDeny = true; } continue; } } if (potentialDeny) { return Indeterminate; } if (atLeastOnePermit) { return Permit; } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } Deny Overrides Decision Policy Combining Algorithm The following specification defines the "Deny Overrides" policy combining algorithm of a policy set. In the entire set of policies to be evaluated, if any any policy evaluates to Deny, then the result of the policy combination shall be Deny. In other words, Deny takes precedence, regardless of the result of evaluating any of the other policy in the combination. If all policies are found not to be applicable to the request, the policy combination returns NotApplicable. If there is any error evaluating the target of a policy, or a reference to a policy is considered invalid, or the policy evalution results in Indeterminate, then the result of the combination shall be Deny. The following pseudo code represents the evaluation strategy of this policy combining algorithm. Decision denyOverridesPolicyCombiningAlgorithm(Policy policies[]) { Boolean atLeastOnePermit = false; for( i=0 ; i < lengthOf(policies) ; i++ ) { Decision decision = evaluate(policies[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { atLeastOnePermit = true; continue; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { return Deny; } } if (atLeastOnePermit) { return Permit; } return NotApplicable; } Obligations of the individual policies shall be combined as described in Section "Obligations."
First Applicable Rule Combining Algorithm The following specification defines the "First Determinate" rule combining algorithm of a policy. Each rule is evaluated in the order it is listed in the policy. Of a particular rule, if the target is applicable and the condition evaluates to true, the evaluation of the combination shall halt and the corresponding effect of the rule shall be the result of the evaluation of the combination (i.e. Permit or Deny). Of a particular rule selected in the evaluation, if the target is not applicable or the condition evaluates to false, then the next rule in the order is evaluated. If no furuther rule in the order exists, then NotApplicable shall be the result of the evaluation of the combination. If there is any error evaluating the target or condition of a rule then the evaluation shall halt, and the result shall be Indeterminate with the appropriate error status. The following pseudo code represents the evaluation strategy of this rule combining algorithm. Decision firstApplicableEffectRuleCombiningAlgorithm(Rule rules[]) { for( i = 0 ; i < lengthOf(rules) ; i++ ) { Decision decision = evaluate(rules[i]); if (decision == Deny) { return Deny; } if (decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { return Indeterminate; } } return NotApplicable; } First Applicable Policy Combining Algorithm The following specification defines the "First Appplicable" policy combining algorithm of a policy set. Each policy is evaluated in order the it appears in the policy set. Of a particular policy, if the target is applicable and the policy evaluates to a determinate decision of Permit or Deny, the evaluation shall halt and that effect shall be the result of the evaluation of the combination. Of a particular policy, if the target is not applicable or the policy evaluates to NotApplicable, then the next policy in the order is evaluated. If no further policy exists in the order, then NotApplicable shall be the result of the evaluation of the combination. If there is any error evaluating the target or the policy, or a reference to a policy is considered invalid, then the evaluation shall continue looking for an applicable policy, if no applicable policy is found, then the result of the combination is Indeterminate. The following pseudo code represents the evaluation strategy of this policy combination algorithm. Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policies[]) { Boolean atLeastOneError = false; for( i = 0 ; i < lengthOf(policies) ; i++ ) { Decision decision = evaluate(policies[i]); if(decision == Deny) { return Deny; } if(decision == Permit) { return Permit; } if (decision == NotApplicable) { continue; } if (decision == Indeterminate) { atLeastOneError = true; continue; } } if (atLeastOneError) { return Indeterminate; } return NotApplicable; } Obligations of the individual policies shall be combined as described in Section "Obligations."
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC