Policy Evaluation

The PDP evaluates all policy sets and top-level policies (policies not contained in a policy set) against the authorization subscription and combines the results. Each policy or policy set evaluates to one of four outcomes: PERMIT, DENY, NOT_APPLICABLE, or INDETERMINATE.

When multiple policies produce different outcomes, the combining algorithm determines the final decision. SAPL’s combining algorithm model has three dimensions:

Voting mode: How individual policy votes are aggregated
Default decision: The decision when no policy casts a decisive vote (PERMIT or DENY)
Error handling: How INDETERMINATE votes (from evaluation errors) are treated

Configuring the Combining Algorithm

The PDP-level combining algorithm is configured in pdp.json:

{
  "algorithm": {
    "votingMode": "PRIORITY_PERMIT",
    "defaultDecision": "DENY",
    "errorHandling": "ABSTAIN"
  }
}

Available voting modes at PDP level:

Voting Mode	Behavior
`PRIORITY_PERMIT`	If any policy votes `PERMIT`, the result is `PERMIT`. Otherwise, the default decision applies.
`PRIORITY_DENY`	If any policy votes `DENY`, the result is `DENY`. Otherwise, the default decision applies.
`UNANIMOUS`	All decisive votes must agree. Any disagreement results in the default decision.
`UNIQUE`	Exactly one policy must be applicable. Zero or multiple applicable policies result in the default.

The FIRST voting mode evaluates policies in document order and uses the first applicable vote. Because the PDP’s collection of policies is an unordered set, FIRST is only available within policy sets where document order is defined.

Error handling options:

PROPAGATE: Errors produce an INDETERMINATE final decision
ABSTAIN: Errors are treated as NOT_APPLICABLE (the erroring policy abstains from voting)

Within policy sets, the combining algorithm uses a natural language syntax: priority permit or deny, unanimous or deny, errors propagate, etc. See Combining Algorithm for the complete reference.