My scenario is I have a Policy with several rules and all the rules need to be true for the policy to be true. For example:
Policy A
- Rule 1
- Rule 2
- Rule 3
For Policy A
to be applicable, i need all three Rules to return true, and if even one of them return false, It should go check the other policies in my policyset
What i have right now is
<!-- shortened for brevity -->
<Policy RuleCombiningAlgId="...:deny-overrides">
<Rule id="1" Effect="Permit">
...
</Rule>
<Rule id="2" Effect="Permit">
...
</Rule>
<Rule id="3" Effect="Permit">
...
</Rule>
</Policy>
I think my problem is that the none of my rules return "Deny" but i initially thought that if it's not permit, it should be deny. I thought of putting a not on all of my rules but that would make it inelegant.
If it's relevant, I am using the Authzforce library.
all the rules need to be true for the policy to be true
In terms of XACML, I guess you mean: Policy must return Permit if and only if all Rules inside return Permit. I can't think of any rule combining algorithm in XACML standard that simply does that. So I suggest two options:
Option A: Wrap each Rule in a deny-unless-permit Policy, and use permit-unless-deny at the top-level (Policy A becomes PolicySet A).
<?xml version="1.0" encoding="utf-8"?>
<PolicySet PolicySetId="A" PolicyCombiningAlgId="...:permit-unless-deny">
<Policy RuleCombiningAlgId="...:deny-unless-permit">
<Rule id="1" Effect="Permit">
...
</Rule>
</Policy>
<Policy RuleCombiningAlgId="...:deny-unless-permit">
<Rule id="2" Effect="Permit">
...
</Rule>
</Policy>
<Policy RuleCombiningAlgId="...:deny-unless-permit">
<Rule id="3" Effect="Permit">
...
</Rule>
</Policy>
</PolicySet>
In this case, PolicySet A returns Permit if and only if (iff) no Policy returns Deny (by definition of permit-unless-deny algorithm). Since each Policy returns Permit iff the Rule returns Permit, else Deny (by definition of deny-unless-permit algorithm), this is equivalent to: Policy A returns Permit iff all Policies return Permit, i.e. iff all Rules return Permit.
Option B: Implement a new Combining Algorithm extension for AuthzForce.