[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] group representation and combine algorithm
Thanks for your answer
Assume I have several rules to a resource and one of them with effect=DENY.
Since my policy is first-applicable, if I want to have deny-override
behavior, I need to order the rules and put the deny rule as the first one.
It means in order to support groups I must write first-applicable policy
instead of deny-override.
Is there any workaround for it?
Thanks,
Yair
On Oct 31, 2005, at 2:02 PM, Yair Sade wrote:
> [...]
> I want that specific rules that apply to specific user override the
> group
> rules. I can achieve that by ordering the specific subject rules
> before
> any-user rules and use first-applicable combining algorithm.
>
> However I want my rules to be handled in deny-override algorithm which
> contradicts the group handling algorithm.
If you use first-applicable, and then have a "fall through" Rule at
the end which always denies, does that get you what you need?
<Policy alg="first-applicable">
<Rule Effect="Permit">
[Applicable to user]
</Rule>
<Rule Effect="Permit">
[Applicable to group]
</Rule>
<Rule Effect="Deny"/>
</Policy>
Unless you've got something more complex than what I'm thinking about
(which is entirely likely <g>) I think this should act like deny-
overrides..
seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]