[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] group representation and combine algorithm
On Oct 31, 2005, at 2:02 PM, Yair Sade wrote: > [...] > I want that specific rules that apply to specific user override the > group > rules. I can achieve that by ordering the specific subject rules > before > any-user rules and use first-applicable combining algorithm. > > However I want my rules to be handled in deny-override algorithm which > contradicts the group handling algorithm. If you use first-applicable, and then have a "fall through" Rule at the end which always denies, does that get you what you need? <Policy alg="first-applicable"> <Rule Effect="Permit"> [Applicable to user] </Rule> <Rule Effect="Permit"> [Applicable to group] </Rule> <Rule Effect="Deny"/> </Policy> Unless you've got something more complex than what I'm thinking about (which is entirely likely <g>) I think this should act like deny- overrides.. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]