Combining algorithms
Combining algorithms are used to associate the evaluation results of multiple rules or policies and determine the final authorization decision.
Usage of combining algorithms is optional, but it is generally recommended. They can help to ensure that authorization decisions are consistent and predictable, and they can also help to prevent conflicts between rules and policies.
The combining algorithms can be used both for rules and policies with a couple of exceptions:
| Name | Rules | Policies |
|---|---|---|
denyOverrides | ✔️ | ✔️ |
permitOverrides | ✔️ | ✔️ |
orderedDenyOverrides | ✔️ | ✔️ |
orderedPermitOverrides | ✔️ | ✔️ |
firstApplicable | ✔️ | ✔️ |
onlyOneApplicable | ❌ | ✔️ |
denyUnlessPermit | ✔️ | ✔️ |
permitUnlessDeny | ✔️ | ✔️ |
onPermitApplySecond | ❌ | ✔️ |
Deny overrides
The denyOverrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision. This algorithm has the following behavior:
- If any decision is "Deny", the result is "Deny".
- Otherwise, if any decision is "Indeterminate", the result is "Indeterminate".
- Otherwise, if any decision is "Permit", the result is "Permit".
- Otherwise, the result is "Not Applicable".
The behavior of orderedDenyOverrides is identical to denyOverrides except that the order in which the collection of rules/policies is evaluated shall match the order of appearance in the policy/policy set.
Permit overrides
The permitOverrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. This algorithm has the following behavior.
- If any decision is "Permit", the result is "Permit".
- Otherwise, if any decision is "Indeterminate", the result is "Indeterminate".
- Otherwise, if any decision is "Deny", the result is "Deny".
- Otherwise, the result is "Not Applicable".
The behavior of orderedPermitOverrides is identical to permitOverrides except that the order in which the collection of rules/policies is evaluated shall match the order of appearance in the policy/policy set.
First applicable
The firstApplicable combining algorithm returns the decision from the first matching rule or policy. If no rule or policy matches, the result is "Not Applicable".
Only one applicable
The following table summarizes the behavior of the onlyOneApplicable combining algorithm:
| Case | Result |
|---|---|
| No policy is applicable | "Not Applicable" |
| More than one policy is applicable | "Indeterminate" |
| Only one policy is applicable | Result of evaluating the rule/policy |
The onlyOneApplicable combining algorithm can only be used for policies, not rules.
Deny unless permit
The denyUnlessPermit combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an "Indeterminate" or "Not Applicable" must never be the result.
- If any decision is "Permit", the result is "Permit".
- Otherwise, the result is "Deny".
It is particularly useful at the top level of a policy structure to ensure that a PDP will always return a definite "Permit" or "Deny" result, or in situations where describing what needs to be permitted rather than denied is more practical.
Permit unless deny
The permitUnlessDeny combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an "Indeterminate" or "Not Applicable" must never be the result.
- If any decision is "Deny", the result is "Deny".
- Otherwise, the result is "Permit".
It is particularly useful at the top level of a policy structure to ensure that a PDP will always return a definite "Permit" or "Deny" result, or in situations where describing what needs to be denied rather than permitted is more practical.
On permit apply second
The onPermitApplySecond combining algorithm is primarily intended for those cases where it would be desirable to attach a condition to a policy or policy set. This algorithm has the following behavior.
The input contains an array of children (policies and/or policy sets).
- If there are not exactly two or three children, then the result is "Indeterminate".
- Otherwise, if the decision from the first child is "Not Applicable", "Deny", or "Indeterminate", then the result is
- "Not Applicable" if there is no third child
- the decision of the third child if there is a third child
- Otherwise, if the decision of the first child is "Permit", then the result is the decision from the second child.
- Otherwise, the result is "Indeterminate".
The onPermitApplySecond combining algorithm can only be used for policies, not rules.
Example
To illustrate how different combining algorithms work, consider a policy that contains three rules: R1, R2, and R3. Each rule evaluates to a different decision: Permit, Deny, and NotApplicable respectively. Depending on the combining algorithm defined on the policy level, the final decision of the policy will vary. More specifically:
| Algorithm | Outcome | Reasoning |
|---|---|---|
denyOverrides | Deny | This algorithm gives precedence to denying access over permitting or indeterminate outcomes. In this example, the final decision is Deny, because R2 evaluates to Deny. |
permitOverrides | Permit | This algorithm gives precedence to permitting access over denying or indeterminate outcomes. In this example, the final decision is Permit, because R1 evaluates to Permit. |
orderedDenyOverrides | Deny | This algorithm is similar to denyOverrides, but it evaluates the rules in the order they are defined, and stops as soon as it finds a Deny outcome. In this example, the final decision is Deny, because R2 evaluates to Deny and it is evaluated before R3. |
orderedPermitOverrides | Permit | This algorithm is similar to permitOverrides, but it evaluates the rules in the order they are defined, and stops as soon as it finds a Permit outcome. In this example, the final decision is Permit, because R1 evaluates to Permit and it is evaluated before R2 and R3. |
firstApplicable | Permit | This algorithm returns the first outcome that is not NotApplicable. This means that it stops evaluating the rules as soon as it finds one that applies to the request. In this example, the final decision is Permit, because R1 evaluates to Permit and it is the first applicable outcome. |
denyUnlessPermit | Permit | This algorithm denies access unless it finds a Permit outcome. In this example, the final decision is Permit , because R1 evaluates to Permit. |
permitUnlessDeny | Deny | This algorithm permits access unless it finds a Deny outcome. In this example, the final decision is Deny , because R2 evaluates to Deny. |