You are hereAttribute Based Access Control/SPM / ABAC Rule


The rule is the most elemental construct that may produce a decision outcome. A Rule element may evaluate to Permit, Deny, Not Applicable, or Indeterminate and may exist only within a Policy element. The main components of the Rule element are the target, effect, and condition.


The Target element of a Rule defines the context for which the rule applies. Specifically, it defines a set of subjects, resources, actions, and environments for which the rule will be considered in calculating the decision outcome of the parent Policy. If the current context does not match the Target then the rule will not be used in reaching the decision outcome.


The Effect is an XML attribute of the Rule element and defines the outcome (Permit or Deny) for the Rule if the Condition element evaluates to TRUE.


The Condition element contains a predicate that represents the logic of the Rule. The Condition may evaluate to TRUE, FALSE, or Indeterminate. The outcome of the Condition controls if the Rule evaluates to its Effect (if Condition is TRUE) or to Not Applicable (if Condition is FALSE).