How to calculate resultant set for conflicting attribute policy rules

Summary: When multiple Attribute Policy Rules affect the same web action, Cayosoft Administrator applies a specific algorithm to calculate the resultant set of attribute policies to enforce. This algorithm is described in the article below.

Applies to: Cayosoft Administrator 7.0.0 or later

How Cayosoft Administrator evaluates the resultant set of attribute policy settings based on all Attribute Policy Rules defined:

1. Attribute policy rule consists of 3 main parts: Trustee, Policy Scope, and Attribute Policy Settings.

2. The trustee part is evaluated based on the connected user token and simply filters out policy rules that should not affect the currently connected user.

3. Policy Scope and Attribute Settings are evaluated differently. First, rules are sorted based on their scope and order on the Attribute Policies screen (see sorting rules below). Then all rules are evaluated in order, from top to bottom, and all policy settings are merged.

4. Sorting based on Policy Scope:

   1. Policy scope is defined by a trinity of the [Admin Unit] - [Web Query] - [Web Action].

   2. Each element in this trinity can be configured to All: [All Admin Units] - [All Web Queries] - [All Actions].

   3. When sorting the rules, rules with [All Admin Units] in their scope definition are put on top, followed by rules with [All Web Queries] in their scope, then rules with [All Actions], and finally, rules with specific Admin Unit - Web Query - Web Action.

   4. The order on the Attribute Policies screen is preserved, i.e., if there are two rules with scope [All Admin Units] - [DOA] - [All Actions], they would be put on top in the same order they are listed on Attribute Policies screen.

   5. As a result, we have all policy rules sorted, with the most generic (most global scope) going on top, and the most definite scope going to the bottom. This policy order ensures that for conflicting attribute settings, the policy applied closer to the object and action wins over the policies applied more globally.

      NOTE: If a policy has several overlapped scopes the policy from the lowest one will apply.

5. Merging attribute settings.

   1. After putting all rules in order, Cayosoft Administrator goes from top to bottom.

   2. For each policy rule:

      1. First Cayosoft Administrator checks the action that is currently used by a connected user to see if this action falls under the scope of the policy rule. If the current action does not fall under the rule policy scope - go to the next rule.

      2. Then, for every attribute in the rule, every defined setting is added to the resultant set of attribute settings.

      3. For example, if possible values are defined for Department property in the current rule, [Department] - [possible values] are added to the resultant set. If this rule also defines Is Required setting, [Department] - [Is Required] is also added to the resultant set.

      4. If such a setting for such property was already present in the resultant set, the setting would be overwritten.

      5. For example, if some higher policy rule defined Department possible values as "1, 2, 3" and the current rule defines Department possible values as "A, B, C" then the resultant set would have [Department] - [possible values] - [A, B, C].

      6. Note that boolean flags like Is Required / Is Readonly / Is Hidden are not overwritten, i.e., when the flag is not selected on the policy, it is considered as "not defined," and thus are not evaluated for inclusion to the resultant set.

6. The resultant set of policy settings is used by the Web Portal to update the look and feel of the current web action form and validate user input.

Summary

• All policy rules are pre-loaded by the Web Portal when a user signs in. So, if you change some policy configuration, first refresh the web page to reload policy rules in Web Portal, before testing your changes.

• Policy rule with scope [Specific Admin Unit] - [Specific Web Query] - [Specific Action] overrides any other policy rule that uses "All" in any of the scope elements. Use this to apply exceptions and override some global policy on a local scope, where this global policy needs to be excluded.

• Boolean settings Is Required, Is Readonly, and Is Hidden can not be overwritten. Once set to ON in some policy rules, these settings will always affect this web action in this rule scope (Admin Unit and Web Query).

• All other policy settings should be overwritten with the rule that "sits" closer to the current object and action, and if two rules exist with identical scope - the one that is lower in the Attribute Policies list wins.