The Policy Enforcement Process

The GAA-API returns three status values to describe policy enforcement process:

1. authorization status 33#33.
   Indicates whether the request is authorized (30#30), not authorized (31#31) or uncertain (32#32).

2. mid-condition enforcement status 34#34.
   Indicates the evaluation status of the mid-conditions (29#29).

3. post-condition enforcement status 35#35.
   Indicates the evaluation status of the post-conditions (29#29).

Initially the status values are set to 32#32.

1. The access control phase starts with receiving a request to access an object, requested type of access and contextual information.

2. First, the 25#25 function is called to obtain the security policy associated with the object. If no relevant policy was found, the authorization status is set to 31#31 and the request is rejected.

   Next the 26#26 function is called to evaluate pre- and request-result conditions. If there are no pre-conditions (this means that the requested right is granted unconditionally), the authorization status is set to 30#30. Otherwise, the pre-conditions are evaluated and the result is stored in the authorization status 33#33.

   If the request-result conditions are present in the policy, the conditions are evaluated and the intermediate result is stored in variable 13#13. The conjunction of the 13#13 and 33#33 is stored in the authorization status 33#33. If authorization is not granted (36#36), the request is rejected.

3. The execution control phase consists of starting the operation execution process and calling the 27#27 function.

   If mid-conditions are found, the conditions are evaluated. Some mid-conditions are evaluated just once ⁵, other mid-conditions are evaluated in a loop until either the operation finishes or any of the mid-conditions fails. In the latter case, the operation execution is suspended and the reactive actions are started. The mid-conditions can be returned unevaluated to be enforced by application. The result is stored in 34#34.

4. During the post-execution action phase the 28#28 function is called. The operation execution status (indicating whether the operation succeeded/failed) is passed to the 28#28. If no post-conditions are found, the 35#35 is set to 30#30, otherwise the post-conditions are evaluated and the result is stored in 35#35.