ABAC Policy

Conflicting rules

In the previous example, if all attribute values are True, then each rule returns a different decision. In general, the access control system is responsible for resolving all conflicts between rules. This is done by composing rules together using composition operators. The four main operators are Permit-Overrides (POV), Deny-Overrides (DOV), Permit-unless-Deny (PUD) and Deny-unless-Permit (DUP).

Permit-Overrides (POV)

Intuitively speaking, POV gives priority to Permit, then to Deny, and finally to NotApplicable. The operator can be defined using the following table.

Deny-overrides (DOV)

Intuitively speaking, DOV gives priority to Deny, then to Permit, and finally to NotApplicable. The operator can be defined using the following table.

Permit-unless-Deny (PUD)

PUD returns Deny if any of the sub-policies return Deny, and returns Permit otherwise. As described on the table below, PUD is actually quite close to DOV (and not to POV, as the name could suggest!), except that when both sub-policies are Not-Applicable, PUD returns Permit instead of Not-Applicable.

Deny-unless-Permit (DUP)

DUP returns Permit if any of the sub-policies return Permit, and returns Deny otherwise. As described on the table below, DUP is actually quite close to POV (and not to DOV, as the name could suggest!), except that when both sub-policies are Not-Applicable, PUD returns Deny instead of Not-Applicable.

First-Applicable (FA)

The First-applicable (FA) operator returns the decision returned by the first rule if it is different from Not-Applicable, and the decision returned by the second rule otherwise.

Example

We now compose the rules from the example using the POV operator.