Rules and combining algorithms

Policies can include one or more rules to produce a fine-grained authorization decision of Permit, Deny, Indeterminate, or Not Applicable.

To evaluate the overall decision of a policy, the policy decision point (PDP) applies a combining algorithm. The default algorithm that is set on a new policy is The first applicable will be the final decision. This algorithm stops evaluating as soon as it reaches a decision that is not Not Applicable.

The following table identifies available combining algorithms and describes their effects. The charts show one example of a decision evaluation for each combining algorithm; other evaluation paths are possible. The chart legend is displayed before the table. The first column in each chart represents the overall decision returned by the policy. The second column represents child decisions that produce the resulting policy decision.

Legend for the combining algorithm charts.

Combining algorithm Summary Details

Combining algorithm	Summary	Details
PermitUnlessDeny	Unless one decision is deny, the decision is permit.	The policy defaults to `Permit` unless any of its children produce the decision `Deny`. The evaluation of rules stops as soon as a `Deny` is produced.
DenyUnlessPermit	Unless one decision is permit, the decision is deny.	The policy defaults to `Deny` unless any of its children produce the decision `Permit`. The evaluation of rules stops as soon as a `Permit` is produced.
PermitOverrides	A single permit overrides any deny decisions.	If any children produce the decision `Permit`, the policy returns `Permit` and stops evaluating rules. If no `Permit` is generated, all rules are evaluated; also, the policy returns `Indeterminate` if a child produces `Indeterminate`. Otherwise, the policy returns `Deny` if a child produces `Deny`. If none of the previous situations occur, the policy returns `Not Applicable`.
DenyOverrides	A single deny overrides any permit decisions.	If any children produce the decision `Deny`, the policy returns `Deny` and stops evaluating rules. If no `Deny` is generated, all rules are evaluated; also, the policy returns `Indeterminate` if a child produces `Indeterminate`. Otherwise, the policy returns `Permit` if a child produces `Permit`. If none of the previous situations occur, the policy returns `Not Applicable`.
FirstApplicable	The first applicable decision is the final decision.	Evaluates the children in turn until one produces an applicable value of `Permit`, `Deny`, or `Indeterminate`. If the evaluation produces no applicable decisions, the policy returns `Not Applicable`.
OnlyOneApplicable	Only one child can produce a decision. If more than one child produces a decision, the result is indeterminate.	Evaluates the children in turn. If at any point two children produce a decision other than `Not Applicable`, the policy returns `Indeterminate`. Otherwise, if precisely one child produces an applicable decision, the policy uses it. If the evaluation produces no applicable decisions, the policy returns `Not Applicable`.
DenyUnlessThreshold	Permit if the weighted average of applicable child decisions meets the threshold; otherwise deny.	Assigns the policy’s children weights between `0` and `100`. If a child returns `Permit`, the weight is added to a running total. If a child returns `Deny`, the weight is subtracted from the running total. After evaluating all children, the PDP divides the total by the number of children and compares that average against the threshold. If the average is greater than or equal to the threshold, the policy returns `Permit`. Otherwise, the policy returns `Deny`.

PermitUnlessDeny

Chart showing an example path for unless one decision is deny, the decision will be permit.

Unless one decision is deny, the decision is permit.

The policy defaults to Permit unless any of its children produce the decision Deny. The evaluation of rules stops as soon as a Deny is produced.

DenyUnlessPermit

Chart showing an example path for unless one decision is permit, the decision will be deny.

Unless one decision is permit, the decision is deny.

The policy defaults to Deny unless any of its children produce the decision Permit. The evaluation of rules stops as soon as a Permit is produced.

PermitOverrides

Chart showing an example path for single permit overriding any deny decisions.

A single permit overrides any deny decisions.

If any children produce the decision Permit, the policy returns Permit and stops evaluating rules. If no Permit is generated, all rules are evaluated; also, the policy returns Indeterminate if a child produces Indeterminate. Otherwise, the policy returns Deny if a child produces Deny. If none of the previous situations occur, the policy returns Not Applicable.

DenyOverrides

Chart showing an example path for single deny overriding any permit decisions.

A single deny overrides any permit decisions.

If any children produce the decision Deny, the policy returns Deny and stops evaluating rules. If no Deny is generated, all rules are evaluated; also, the policy returns Indeterminate if a child produces Indeterminate. Otherwise, the policy returns Permit if a child produces Permit. If none of the previous situations occur, the policy returns Not Applicable.

FirstApplicable

The first applicable decision is the final decision.

Evaluates the children in turn until one produces an applicable value of Permit, Deny, or Indeterminate. If the evaluation produces no applicable decisions, the policy returns Not Applicable.

OnlyOneApplicable

Chart showing an example path for only one child may produce a decision. If more than one is produced, the result will be indeterminate.

Only one child can produce a decision. If more than one child produces a decision, the result is indeterminate.

Evaluates the children in turn. If at any point two children produce a decision other than Not Applicable, the policy returns Indeterminate. Otherwise, if precisely one child produces an applicable decision, the policy uses it. If the evaluation produces no applicable decisions, the policy returns Not Applicable.

DenyUnlessThreshold

Chart showing an example path for a group of rules evaluating to a final decision based on their weights and a decision threshold value

Permit if the weighted average of applicable child decisions meets the threshold; otherwise deny.

Assigns the policy’s children weights between 0 and 100. If a child returns Permit, the weight is added to a running total. If a child returns Deny, the weight is subtracted from the running total. After evaluating all children, the PDP divides the total by the number of children and compares that average against the threshold. If the average is greater than or equal to the threshold, the policy returns Permit. Otherwise, the policy returns Deny.

PingAuthorize

Rules and combining algorithms