Oasis Policy Model | Enforcer Documentation

Composing Authorization

The Oasis policy model comprises of three policy element types: Rules, Policies and Policy Sets. These are composed to form the authorization policy to be evaluate

Oasis Policy Model

Target

Each policy element (Policy, Policy Set or Rule) can contain an optional target boolean condition. When a policy element contains a target expression, the PDP will only consider the policy element if the expression evaluates to true.

Rule

The purpose of a rule is to produce either a permit or a deny. A rule has a defined outcome of either permit or deny and a boolean condition; the PDP will propagate the outcome if the rule condition evaluates to true.

Policy

A Policy combines multiple rules to produce a single outcome. The PDP considers each rule and combines the outcomes using the policy's combining algorithm. Examples of combining algorithms:

First applicable - the first rule that results in an outcome is the one taken forward
Deny unless permit - unless a rule issues an explicit permit then make the outcome a deny
Deny overrides permit - if rules in the policy result in conflicting outcomes then deny should be taken forward

Policy Set

A Policy Set combines multiple policies or policy sets to produce a single outcome. The PDP considers each policy and policy set and combines the outcomes using the policy set's combining algorithm.

Obligations and Advice

In addition to providing a permit or deny outcome, policy elements can emit obligations and advice depending on their outcome. Obligations represent actions that the PEP executes before delivering the policy outcome. Advice describes actions that the PEP may execute

Previous Next