Combining algorithm
A combining algorithm determines how elements in a policy tree will be combined to render a final result. In the Policy Editor, it is selectable from a drop-down menu in the right-hand corner of the policy and policy set nodes, and also in the edit panel of the currently selected node, where it is presented as a drop-down menu in its own section.
There are two types of combining algorithms:
Policy-combining algorithms - these are selected inside a policy set and are used to combine the results of policies and policy sets.
Rule-combining algorithms - these are selected inside a policy and are used to combine the results of rules.
The following table provides a brief description of the behavior of each combining algorithm. Note that some of them are not applicable for rules. For complete information, please refer to the eXtensible Access Control Markup Language (XACML) Version 3.0.
| Combining algorithm | Abbreviation | Description |
|---|---|---|
| Deny overrides | DO | Even if multiple policies or rules are evaluated to Permit, one single Deny leads to a Deny decision. |
| Deny unless permit/Permit unless deny | DuP/PuD | There are four possible outcomes to an authorization request: Permit, Deny, NotApplicable, and Indeterminate. Sometimes, it is desirable to hide the NotApplicable and Indeterminate decisions to only allow for Permit or Deny. By using one of these combining algorithms we guarantee that either Permit or Deny will be returned. |
| First applicable | 1stA | The final decision returned is the first one produced either of Permit or Deny. |
| On permit apply second | oPAS | In some cases, it may be useful to have a Condition at the policy or policy set level, as a Condition allows for more expressive matching than a Target, which can only match against constant values. The "On permit apply second" combining algorithm makes it possible to define a policy structure which behaves as if there was a condition at the policy or policy set level, without changes to the XACML 3.0 schema. This combining algorithm only applies for policy sets to combine policy sets and policies; it is not available for rules. |
| Only one applicable | 1A | For either of a Permit or Deny to be returned, then only one of the children must produce a valid decision -- whether Deny or Permit. This combining algorithm only applies for policy sets to combine policy sets and policies; it is not available for rules. |
| Ordered deny overrides/Ordered permit overrides | oDO/oPO | Works the same way as "Deny/Permit overrides", but with the difference that policies, policy sets, and rules are considered in the order in which they are defined in the policy. |
| Permit overrides | PO | Even if multiple policies or rules are evaluated to Deny, one single Permit leads to a Permit decision. |