Extended composition

The introduction of Indeterminate decisions, the composition of rules becomes more complex. Note that for the sake of compactness, we abbreviate Indeterminate to Ind in the different definitions below.

In general, an easy way to extend the composition operators is to consider a set based interpretation of the Indeterminate decision:

Note that Ind(PD) is mapped with two different set-based decisions. In practice, this does not make a huge difference. In other words, the decision Permit indicates that only Permit is the right decision, while Ind(P) indicates that the decision could be either Permit or NA (but not Deny). When composing extended decisions, we can simply apply the operator to every possible combination across the two set based decisions.

For instance, in order to compute POV(Ind(P), Ind(D)), we consider it as POV({Permit, NA}, {Deny, NA}), and therefore we compute the different possibilites:

1. POV(Permit, Deny) = Permit
2. POV(Permit, NA) = Permit
3. POV(NA, Deny) = Deny
4. POV(NA, NA) = NA

We can conclude that POV(Ind(P), Ind(D)) = {Permit, Permit, Deny, NA} = Ind(PD).

Note that this only applies to POVand DOV. The operators tend to keep a simple interpretation. We provide the full definitions of the extended operators below, but as an exercise, try to calculate the following:

• POV(Permit, Ind(P)) = ?
• POV(Permit, Ind(D)) = ?
• POV(Deny, Ind(P)) = ?
• DOV(Deny, Ind(P)) = ?
• DOV(Permit, Ind(P)) = ?

Permit-Overrides

XACML proposes an algorithmic definition of POV:

The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision. This algorithm has the following behaviour:

1. If any decision is “Permit”, the result is “Permit”.
2. Otherwise, if any decision is “Ind{DP}", the result is “Ind{DP}".
3. Otherwise, if any decision is “Ind{P}” and another decision is “Ind{D} or Deny, the result is “Ind{DP}".
4. Otherwise, if any decision is “Ind{P}", the result is “Ind{P}".
5. Otherwise, if decision is “Deny”, the result is “Deny”.
6. Otherwise, if any decision is “Ind{D}", the result is “Ind{D}".
7. Otherwise, the result is “NotApplicable”.

Deny-Overrides

Accord to the XACML specification, DOV is analogous to POV, but favours Deny instead of Permit.

This algorithm has the following behaviour:

1. If any decision is “Deny”, the result is “Deny”.
2. Otherwise, if any decision is “Indeterminate{DP}", the result is “Indeterminate{DP}".
3. Otherwise, if any decision is “Indeterminate{D}” and another decision is “Indeterminate{P} or Permit, the result is “Indeterminate{DP}".
4. Otherwise, if any decision is “Indeterminate{D}", the result is “Indeterminate{D}".
5. Otherwise, if any decision is “Permit”, the result is “Permit”.
6. Otherwise, if any decision is “Indeterminate{P}", the result is “Indeterminate{P}".
7. Otherwise, the result is “NotApplicable”.

PUD

PUD is directly extended from its basic definition

DUP

PUD is directly extended from its basic definition

FA

The extended definition of First-Applicable is an interesting case. Morisset & Zannone (2014) argue that the definition given in XACML is not compatible with the intuition that Indeterminate(X) decisions correspond to either X or NA. We present below the definition from Morisset & Zannone (2014) rather than the XACML one.

Only-one-applicable (OOA)

Finally, the operator OOA returns an Indeterminate decisions more than one policy returns Permit or Deny.

Example