[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] group representation and combine algorithm
>Does anyone has idea how can I do it? Is there any other way to force user-specific rules to override group rules? I will try to answer. In general, all the applicable rules are equal. And all the applicable policies are equal. Even the document order for the first applicable is in reality implementation dependent. One way to make them non-equal way would be to split policies on groups and policies on individual users into separate policies. They may be differentiated by an environment target for example (using matching rule group_policy = true, or something to that effect), or by some implementation dependent id. Then you can either roll out your own policy combining algorithm, that first uses user policies, or make PEP make two requests, first with group_policy attribute (in the example above) set to false, then, if the result is not applicable, issue a new request with it set to true. Though that approach will move some combining logic out of XACML, which is rather non-portable. I would guess XACML answer to making some rules/policies more important in some way is a new combining algorithm - that may make use of policy combining parameters defined in the policy. Currently there is no standard way to define a new algorithm, we may look into this in 3.0 or at a later time frame. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]