OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Combinators

• From: Polar Humenn <polar@syr.edu>
• To: XACML <xacml@lists.oasis-open.org>
• Date: Tue, 06 Aug 2002 18:36:24 -0400 (EDT)

```
The three combinators are attached, which is exactly the text we had at
the meeting.

PermitOverrides
DenyOverrides
FirstApplicable

Sorry, I thought I had sent them yesterday morning.

Cheers,
-Polar
```
```Permit Overrides Decision Rule Combining Algorithm

The following specification defines the "Permit Overrides" rule combining
algorithm of a policy.

In the entire set of rules to be evaluated, if any rule evaluates to
Permit, then the result of the rule combination shall be Permit. If any
rule evaluates to Deny and all other rules evaluate to NotApplicable, then
the result of the combination shall be Deny. In other words, Permit takes
precedence, regardless of the result of evaluating any of the other rules
in the combination. If all rules are found not to be applicable to the
request, then the rule combination returns NotApplicable.

If there is any error evaluating the target or condition of a rule that
contains an effect of Permit then the evaluation continues looking for a
result of Permit. If no other rule evaluates to a Permit, then the result
of the combination is Indeterminate.

If at least one rule evaluates to Deny, all other rules that do not have
evaluation errors evaluate to Deny or NotApplicable, and all rules that do
have evaluation errors contain effects of Deny, then the result of the
combination shall be Deny.

The following pseudo code represents the evaluation strategy of this rule
combining algorithm.

Decision permitOverridesRuleCombiningAlgorithm(Rule rules[])
{
Boolean atLeastOneError  = false;
Boolean potentialPermit  = false;
Boolean atLeastOneDeny   = false;
for( i=0 ; i < lengthOf(rules) ; i++ )
{
Decision decision = evaluate(rules[i]);
if (decision == Deny)
{
atLeastOneDeny = true;
continue;
}
if (decision == Permit)
{
return Permit;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
atLeastOneError = true;

if (effectOf(rules[i]) == Permit)
{
potentialPermit = true;
}
continue;
}
}
if (potentialPermit)
{
return Indeterminate;
}
if (atLeastOneDeny)
{
return Deny;
}
if (atLeastOneError)
{
return Indeterminate;
}
return NotApplicable;
}

Permit Overrides Decision Policy Combining Algorithm

The following specification defines the "Permit Overrides" policy combining
algorithm of a policy set.

In the entire set of policies to be evaluated, if any any policy evaluates
to Permit, then the result of the policy combination shall be Permit. In
other words, Permit takes precedence, regardless of the result of
evaluating any of the other policy in the combination. If all policies are
found not to be applicable to the request, the policy combination returns
NotApplicable.

If there is any error evaluating the target of a policy, a reference to a
policy is considered invalid, or the policy evalution results in
Indeterminate, then the result of the combination shall be Indeterminate
only if no other policies evaluate to Permit or Deny.

The following pseudo code represents the evaluation strategy of this policy
combining algorithm.

Decision permitOverridesPolicyCombiningAlgorithm(Policy policies[])
{
Boolean atLeastOneError = false;
Boolean atLeastOneDeny  = false;
for( i=0 ; i < lengthOf(policies) ; i++ )
{
Decision decision = evaluate(policies[i]);
if (decision == Deny)
{
atLeastOneDeny = true;
continue;
}
if (decision == Permit)
{
return Permit;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
atLeastOneError = true;
continue;
}
}
if (atLeastOneDeny)
{
return Deny;
}
if (atLeastOneError)
{
return Indeterminate;
}
return NotApplicable;
}

Obligations of the individual policies shall be combined as described in
Section "Obligations."
```
```Deny Overrides Decision Rule Combining Algorithm

The following specification defines the "Deny Overrides" rule combining
algorithm of a policy.

In the entire set of rules to be evaluated, if any rule evaluates to
Deny, then the result of the rule combination shall be Deny. If any rule
evaluates to Permit and all other rules evaluate to NotApplicable, then
the result of the combination shall be Permit. In other words, Deny takes
precedence, regardless of the result of evaluating any of the other rules
in the combination. If all rules are found not to be applicable to the
request, then the rule combination returns NotApplicable.

If there is any error evaluating the target or condition of a rule that
contains an effect of Deny then the evaluation continues looking for a
result of Deny. If no other rule evaluates to a Deny, then the result of
the combination is Indeterminate.

If at least one rule evaluates to Permit, all other rules that do not
have evaluation errors evaluate to Permit or NotApplicable, and all rules
that do have evaluation errors contain effects of Permit, then the result
of the combination shall be Permit.

The following pseudo code represents the evaluation strategy of this rule
combining algorithm.

Decision denyOverridesRuleCombiningAlgorithm(Rule rules[])
{
Boolean atLeastOneError  = false;
Boolean potentialDeny    = false;
Boolean atLeastOnePermit = false;
for( i=0 ; i < lengthOf(rules) ; i++ )
{
Decision decision = evaluate(rules[i]);
if (decision == Deny)
{
return Deny;
}
if (decision == Permit)
{
atLeastOnePermit = true;
continue;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
atLeastOneError = true;

if (effectOf(rules[i]) == Deny)
{
potentialDeny = true;
}
continue;
}
}
if (potentialDeny)
{
return Indeterminate;
}
if (atLeastOnePermit)
{
return Permit;
}
if (atLeastOneError)
{
return Indeterminate;
}
return NotApplicable;
}

Deny Overrides Decision Policy Combining Algorithm

The following specification defines the "Deny Overrides" policy combining
algorithm of a policy set.

In the entire set of policies to be evaluated, if any any policy
evaluates to Deny, then the result of the policy combination shall be
Deny. In other words, Deny takes precedence, regardless of the result of
evaluating any of the other policy in the combination. If all policies
are found not to be applicable to the request, the policy combination
returns NotApplicable.

If there is any error evaluating the target of a policy, or a reference
to a policy is considered invalid, or the policy evalution results in
Indeterminate, then the result of the combination shall be Deny.

The following pseudo code represents the evaluation strategy of this policy
combining algorithm.

Decision denyOverridesPolicyCombiningAlgorithm(Policy policies[])
{
Boolean atLeastOnePermit = false;
for( i=0 ; i < lengthOf(policies) ; i++ )
{
Decision decision = evaluate(policies[i]);
if (decision == Deny)
{
return Deny;
}
if (decision == Permit)
{
atLeastOnePermit = true;
continue;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
return Deny;
}
}
if (atLeastOnePermit)
{
return Permit;
}
return NotApplicable;
}

Obligations of the individual policies shall be combined as described in
Section "Obligations."
```
```First Applicable Rule Combining Algorithm

The following specification defines the "First Determinate" rule combining
algorithm of a policy.

Each rule is evaluated in the order it is listed in the policy. Of a
particular rule, if the target is applicable and the condition evaluates to
true, the evaluation of the combination shall halt and the corresponding
effect of the rule shall be the result of the evaluation of the combination
(i.e. Permit or Deny). Of a particular rule selected in the evaluation, if
the target is not applicable or the condition evaluates to false, then the
next rule in the order is evaluated. If no furuther rule in the order
exists, then NotApplicable shall be the result of the evaluation of the
combination.

If there is any error evaluating the target or condition of a rule then the
evaluation shall halt, and the result shall be Indeterminate with the
appropriate error status.

The following pseudo code represents the evaluation strategy of this rule
combining algorithm.

Decision firstApplicableEffectRuleCombiningAlgorithm(Rule rules[])
{
for( i = 0 ; i < lengthOf(rules) ; i++ )
{
Decision decision = evaluate(rules[i]);
if (decision == Deny)
{
return Deny;
}
if (decision == Permit)
{
return Permit;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
return Indeterminate;
}
}
return NotApplicable;
}

First Applicable Policy Combining Algorithm

The following specification defines the "First Appplicable" policy combining
algorithm of a policy set.

Each policy is evaluated in order the it appears in the policy set. Of a
particular policy, if the target is applicable and the policy evaluates to
a determinate decision of Permit or Deny, the evaluation shall halt and
that effect shall be the result of the evaluation of the combination. Of a
particular policy, if the target is not applicable or the policy evaluates
to NotApplicable, then the next policy in the order is evaluated. If no
further policy exists in the order, then NotApplicable shall be the result
of the evaluation of the combination.

If there is any error evaluating the target or the policy, or a reference
to a policy is considered invalid, then the evaluation shall continue
looking for an applicable policy, if no applicable policy is found, then
the result of the combination is Indeterminate.

The following pseudo code represents the evaluation strategy of this policy
combination algorithm.

Decision firstApplicableEffectPolicyCombiningAlgorithm(Policy policies[])
{
Boolean atLeastOneError = false;
for( i = 0 ; i < lengthOf(policies) ; i++ )
{
Decision decision = evaluate(policies[i]);
if(decision == Deny)
{
return Deny;
}
if(decision == Permit)
{
return Permit;
}
if (decision == NotApplicable)
{
continue;
}
if (decision == Indeterminate)
{
atLeastOneError = true;
continue;
}
}
if (atLeastOneError)
{
return Indeterminate;
}
return NotApplicable;
}

Obligations of the individual policies shall be combined as described in
Section "Obligations."
```

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]