[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] group representation and combine algorithm
Thanks for your answer Assume I have several rules to a resource and one of them with effect=DENY. Since my policy is first-applicable, if I want to have deny-override behavior, I need to order the rules and put the deny rule as the first one. It means in order to support groups I must write first-applicable policy instead of deny-override. Is there any workaround for it? Thanks, Yair On Oct 31, 2005, at 2:02 PM, Yair Sade wrote: > [...] > I want that specific rules that apply to specific user override the > group > rules. I can achieve that by ordering the specific subject rules > before > any-user rules and use first-applicable combining algorithm. > > However I want my rules to be handled in deny-override algorithm which > contradicts the group handling algorithm. If you use first-applicable, and then have a "fall through" Rule at the end which always denies, does that get you what you need? <Policy alg="first-applicable"> <Rule Effect="Permit"> [Applicable to user] </Rule> <Rule Effect="Permit"> [Applicable to group] </Rule> <Rule Effect="Deny"/> </Policy> Unless you've got something more complex than what I'm thinking about (which is entirely likely <g>) I think this should act like deny- overrides.. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]