26.3. Data types and permission processing
As already mentioned, an authorization policy consists of a set of rules, each granting a permission. These rules are independent of each other and are processed in one pass – i.e., the ordering of the rules is not important. After all rules are processed, something called a "resultant" of all granted permissions is generated. This is another important distinction between Common Policy and other access right systems. For instance, the *nix file system makes use of Access Control Lists (ACLs) and three lists – namely, user, group and others – are visited in order; the first one to match determines the access rights.
The Common Policy processing model means that a user may get granted several permissions, with different levels of access rights. To resolve this ambiguity, an algorithm is provided that combines the different permissions allowed by the various rules. It depends on the data types of permissions – boolean, integer and set.
The boolean type can have only two values: TRUE or FALSE. When combining boolean-type permissions, the OR operation is applied across them. In other words, if one or more of the permissions are TRUE, then the resultant is TRUE; if none of the permissions is TRUE, the resultant for that permission is FALSE. The default is always FALSE; so, in the absence of any matching rule, an automatic FALSE is granted.
The integer type assigns each permission an integer value. The higher the value, the higher the rights ...
Get The IMS: IP Multimedia Concepts And Services, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
