You are hereAttribute Based Access Control / Policies and Policy Sets
Policies and Policy Sets
The main constructs of the Security Policy Markup Language (SPML) are the Policy and Policy Set. Each is a named, top-level XML element and every SPML file must contain either a Policy or Policy Set as the top-level element. Furthermore, Policies and Policy Sets are the construct which is applied to Trusted RUBIX (TR) objects.
A Policy is the SPML construct that contains policy rules and attribute level logic and their associated functions. Policies may contain more than one rule, in which case an algorithm is chosen to define how they interrelate. For example, the "Ordered Permit Override" will execute each rule in order and the first Permit evaluation will cause the Policy to evaluate to Permit.
A Policy Set contains other Policies and an algorithm to define how they interrelate. Policies may be included into a Policy Set by named reference or explicitly. When included by reference the Policy may reside in a separate SPML file. Policy may be included by reference into more than one Policy Set, allowing for modular policy design and efficient code reuse.
Policies and Policy sets have a specified target. The target specifies which subjects, objects, and actions are controlled by the policy.
Security relevant actions (e.g., setting a row field), called obligations, may be associated with both Policy and Policy Sets. The actions may be configure to execute when the policy evaluates to Permit or Deny.
The following diagram shows multiple Policies (light blue) and Policy Sets (yellow) organized to allow Multilevel Security override to a read-only and read-write Security Administrator. The top-level Policy or Policy Set that contains all of the needed security logic are applied to TR objects.