Key Concepts

There are a few key concepts that are really important to understand how Big ACL operates.

Big ACL expresses authorizations as sets of rules.

Each rule allows or forbids a subject to act on a resource, given a defined context.

Let’s say for example that we want to define access rules to patient files for hospital staff.

We may have rules such as:

• A doctor can read and update the records of a patient currently admitted to his or her department.

• A doctor who belongs to the Emergency Room can read and update the records of any patient admitted to the hospital where they practice.

If multiple rules apply, a combining algorithm is used to determine the final access decision.

There are several combining algorithms, and two common ones are:

1. Deny-overrides (Permit-overrides): In this combining algorithm, if any policy evaluation results in a “deny” decision, the overall decision is immediately denied without further evaluation. This is based on the principle that a single denial should be sufficient to deny access. If there are no deny decisions, the algorithm checks for any “permit” decisions. If at least one permit decision is found, the overall decision is permitted. This algorithm prioritizes deny decisions over permit decisions.

2. First-applicable (Ordered-permit-deny): This algorithm evaluates policies in a specific order, typically based on their priority or order of appearance. The first policy that matches the request and results in either a permit or deny decision is considered the final decision. No further evaluation occurs once a matching policy is found. This algorithm is also known as “Ordered-permit-deny” because it processes policies in a predetermined order.