Hi Junaid, Romain,
First of all, here is the official definition of what a combining algorithm is:
XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at an authorization decision given the individual results of evaluation of a set of policies.
- deny-overrides
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides
- permit-overrides
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides
- deny-unless-permit
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit
-
urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit
- permit-unless-deny
- urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny
- urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
Note there is also ordered-deny-overrides and ordered-permit-overrides which impose the order of the evaluation of the children. deny-overrides and permit-overrides are vague about the order.
Appendix C describes the behavior of each combining algorithm. Here's a summary. In the case of an indeterminate, for deny-overrides and permit-overrides, then the evaluation stops.
- deny-overrides: in this case, if the first rule / policy returns Deny then the evaluation stops and the overall result is Deny.
|
|
1. First choose the
column below |
|
2.
Then choose the row |
|
Permit |
Deny |
NotApplicable |
Indeterminate |
|
Permit |
Permit |
Deny |
Permit |
Indeterminate |
|
Deny |
Deny |
Deny |
Deny |
Indeterminate |
|
NotApplicable |
Permit |
Deny |
NotApplicable |
Indeterminate |
|
Indeterminate |
Indeterminate |
Deny |
Indeterminate |
Indeterminate |
|
|
|
|
|
|
|
|
Permit-overrides |
1. First choose the
column below |
2.
Then choose the row |
|
Permit |
Deny |
NotApplicable |
Indeterminate |
Permit |
Permit |
Permit |
Permit |
Indeterminate |
Deny |
Permit |
Deny |
Deny |
Indeterminate |
NotApplicable |
Permit |
Deny |
NotApplicable |
Indeterminate |
Indeterminate |
Permit |
Indeterminate |
Indeterminate |
Indeterminate |
deny-unless-permit |
1. First choose the
column below |
2.
Then choose the row |
|
Permit |
Deny |
NotApplicable |
Indeterminate |
Permit |
Permit |
Permit |
Permit |
Permit |
Deny |
Permit |
Deny |
Deny |
Deny |
NotApplicable |
Permit |
Deny |
Deny |
Deny |
Indeterminate |
Permit |
Deny |
Deny |
Deny |
Permit-unless-deny |
1. First choose the
column below |
2.
Then choose the row |
|
Permit |
Deny |
NotApplicable |
Indeterminate |
Permit |
Permit |
Deny |
Permit |
Permit |
Deny |
Deny |
Deny |
Deny |
Deny |
NotApplicable |
Permit |
Deny |
Permit |
Permit |
Indeterminate |
Permit |
Deny |
Permit |
Permit |