Multiple Policies in PDP – Policy ordering and combining

As we already know, there can be multiple policies in the PDP policy store.  For each XACML request, PDP would pick the applicable policy (or policies) based on  policy’s  Target element.
Complexity would be;  when more than one policy is applicable  for the request. Then PDP needs to combine the result based on the policy combining algorithm.  Policy combining algorithm is configured for the PDP. Most cases,  it would be  only-one-applicable or deny override by default.

There are two main things that PDP need to care about.

  • PDP needs to evaluate policies in an order that have been defined by the policy administrator.
  • PDP needs to combing the results based on the algorithm that has been defined by the policy administrator.

Lets see, how typical PDP have been achieve them by going through open source XACML engine.. i.e WSO2 Identity Server.

Policy Order

Identity Server provides management console for policy administration. Here, policy administrator can configure the policy order.  Before version 4.5.0,  there was a up/down arrow keys that policies can be moved in UI and reorder them.

But when it comes to large number of policies, we identified that this is not scale much. There were some performance issues with policy reordering.  Therefore  with 4.5.0 , it has been introduced some different approach; sometime it may not use friendly for policy administrators.  But it is scaled for large  number of policies.

With 4.5.0,  policy administrator can define the policy order for each policy manually.  Policy order is an integer value and highest integer value means that policy is in the top (it is evaluated as 1st policy in the PDP).  When policy is created or uploaded; If we do not mentioned any specific value, policy order is set to “zero” by default.  It means,  Policy would be in the bottom. If there are two policies with same order,  natural order of “policy id” would be taken in to account.

Once policy reordering is done,  PDP policy cache would be reinitialized.  Policy cache contains the policy based on the policy order.

Policy Combining algorithm

Identity Server provides configuration option to set the policy configuring algorithm in run time. Default policy combing algorithm is deny-override.

However you can change the default algorithm using entitlement.properties file which can be found at <IS_HOME>/repository/conf/security directory.

PDP.Global.Policy.Combining.Algorithm=urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides

Underline,  policy combing evaluation is happen with Balana.  Also you can write new custom algorithms and configure them with Balana (or Identity Server). Please fine more details from here.

I guess, there may be lot things to improve with Identity Server regrading policy ordering and combining. Please let us know your thoughts.  Then we can have them in next release.