Policy evaluation logic
Policy Designer allows you to create Attribute-based Access Control (ABAC) policies to achieve a level of dynamic security that isn't possible with static authorization models, such as Role-based Access Control (RBAC). Using Policy Designer, you can create simple policy rules utilizing selected conditions and attributes associated with who, what, and where that match the application's access requirements.
Τhe Policy Decision Point (PDP) evaluates incoming access requests against your policies and then returns a "Permit"/"Deny" decision.
Rule's effect
A policy has multiple rules which contain the core logic of the policy, while the heart of each rule is a condition, which is a boolean (true/false) function. If the condition evaluates to true, then the rule's effect is returned. The rule's effect is either "Permit" or "Deny" and is associated with the successful evaluation of the rule.
Policy Designer is configured to always set the rule's effect to "Permit". This means that the successful evaluation of a rule, returns a "Permit" effect.
Set of values
The PDP treats the values of an attribute as a set and not as a single unit. When an access request is received, the PDP compares this set of values against the single value provided in the policy rule. If any of the values from the set matches that single value, the condition evaluates to true.
Rule-combining algorithm
The rule-combining algorithm controls the final authorization decision for the policy, combining the results of the individual rules within this policy.
In Policy Designer the rule-combing algorithm is set to deny-unless-permit. This means that the policy will evaluate the rules until one matches, and therefore evaluate to "Permit", ignoring indeterminates. If no rule matches, the policy will return "Deny".
As soon as a rule evaluates to permit, the policy will return "Permit" immediately, without evaluating any more rules.
Rules order
The order of the rules is the same as the one displayed in the interface of Policy Designer. Currently, there is no way to re-order the rules after they are created.
Example
We have the following rules:
Rule | Attribute | Condition | Value | |
---|---|---|---|---|
A | Role | equals | Manager | |
B | EXCEPT | Role | equals | Manager |
and the following cases:
Case | Role values | # of values |
---|---|---|
I | "Manager" | 1 |
II | "Employee, Manager, Product manager" | 3 |
III | "Employee, Executive" | 2 |
IV | " " | 0 (empty) |
The system behavior will be the following:
- Rule A
- Rule B
The rule permits access to users that have the manager role amongst the roles assigned to them. As a result:
- Cases I and II evaluate both to true as they include the manager role in their lists, even though case II includes multiple values.
- Cases III and IV evaluate to false because they don't include the manager role.
The rule denies access to users that have the manager role amongst the roles assigned to them. As a result:
- Cases I and II evaluate both to false as they include the manager role in their lists, even though case II includes other values as well.
- Cases III and IV evaluate to true because they don't include the manager role.