Databases Reference
In-Depth Information
Figure 5 shows an example
2
for a XACML policy corresponding to the
third rule
R3
of Figure 2. The
Target
element specifies the applicability of
some
R
by saying that the role of the requesting subject should be
Reviewer-
Name
and the requested action should be
read
. The policy
R
consists of three
Rule
s,
R3-1
,
R3-2
,and
R3-3
.
R3-1
signifies that an access to the
review summary
element is permit-
ted. Note that this rule does not indicate anything about subordinate nodes,
since the
xpath-node-equal
matching function checks the access only for
the specified node, which is a
review summary
element.
R3-2
signifies that
a read access to an
entry
element and its subordinate nodes is permitted
when the name of the requesting subject is identical to the value specified in
the
reviewerName
element. The semantics of the propagation to subordinate
nodes is handled by the
xpath-node-match
matching function.
R3-3
states
that a read access to the
authorName
element is denied.
These three rules are combined by the
denial-overrides
algorithm,
which basically means that if any rule evaluates to
deny
, then the result
of the rule combination should be
deny
. For example,
R3-2
permits read ac-
cess to the
authorName
element while
R3-3
explicitly denies the access. Then
the
denial -overrides
algorithm concludes that the access to the
entry
element should be denied. In addition, there are several other rule combin-
ing algorithms in the XACML specification, such as
first applicable
and
only-one applicable
.
Decision Combining Algorithms
Each rule can specify a rule combining algorithm which defines a procedure
for arriving at an authorization decision when the individual results of the
evaluations of a set of rules or policies are provided. Various rule combin-
ing algorithms, in particular,
Permit-overrides
,
Only-one-applicable
,and
First-applicable
, are supported besides the
Deny-overrides
algorithm of the previous example.
The
Permit-overrides
algorithm is a procedure such that if there exists
any rule that evaluates to
permit
, then the decision is
permit
. However, if all
of the rules evaluate to
not applicable
, or some rules evaluate to
deny
but
some evaluate to
not applicable
, then the decision is
deny
.
The
Only-one-applicable
algorithm says that if more than one rule ap-
plies, then the decision is
indeterminate
. If no rule applies, then the result is
not applicable
. If only-one policy applies, the decision is evaluated by that
rule.
The
First-applicable
algorithm is a procedure such that the rules are
evaluated in the order of appearance in the policy. The first rule such that the
2
The syntax used in Figure5 is somewhat abbreviated due to space lim-
itations. The exact URI specification of the rule-combining algorithm is
“urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:
deny-overrides
”.
