Combining algorithms
PingOne Authorize policies can combine multiple rules to produce a Permit
, Deny
, Indeterminate
, or Not Applicable
decision.
To evaluate the overall decision of a policy, the decision service applies a combining algorithm. The default algorithm for a new policy is The first applicable decision will be the final decision. This algorithm stops evaluating as soon as it reaches a decision that isn’t Not Applicable
.
The following table identifies available combining algorithms and describes their effects. The charts show one example of a decision evaluation for each combining algorithm; other evaluation paths are possible. The chart legend is displayed before the table. The first column in each chart represents the overall decision returned by the policy. The second column represents child decisions that produce the resulting policy decision.
Combining algorithm | Details |
---|---|
A single permit will override any deny decisions |
If any children produce the decision If no If none of the previous situations occur, the policy returns |
A single deny will override any permit decisions |
If any children produce the decision If no If none of the previous situations occur, the policy returns |
Unless one decision is deny, the decision will be permit |
The policy defaults to |
Unless one decision is permit, the decision will be deny |
The policy defaults to |
The first applicable decision will be the final decision |
The decision engine evaluates the children in turn until one produces an applicable value of If the evaluation produces no applicable decisions, the policy returns |
Only one child may produce a decision. If more than one is produced, the result will be indeterminate |
The decision engine evaluates the children in turn. If at any point two children produce a decision other than Otherwise, if precisely one child produces an applicable decision, the policy uses it. If evaluation produces no applicable decisions, the policy returns |