keycloak-scim/authorization_services/topics/policy-aggregated-policy.adoc

[[_policy_aggregated]]
= Aggregated Policy

As mentioned previously, {project_name} allows you to build a policy of policies, a concept referred to as policy aggregation. You can use policy aggregation to reuse existing policies to build more complex ones and keep your permissions even more decoupled from the policies that are evaluated during the processing of authorization requests.

To create a new aggregated policy, select *Aggregated* in the dropdown list located in the right upper corner of the policy listing.

.Add an Aggregated Policy
image:{project_images}/policy/create-aggregated.png[alt="Add Aggregated Policy"]

Let's suppose you have a resource called _Confidential Resource_ that can be accessed only by users from the _keycloak.org_ domain and from a certain range of IP addresses.
You can create a single policy with both conditions. However, you want to reuse the domain part of this policy to apply to permissions that operates regardless of the originating network.

You can create separate policies for both domain and network conditions and create a third policy based on the combination of these two policies. With an aggregated policy, you can freely combine other policies and then apply the new aggregated policy to any permission you want.

[NOTE]
When creating aggregated policies, be mindful that you are not introducing a circular reference or dependency between policies. If a circular dependency is detected, you cannot create or update the policy.

== Configuration

* *Name*
+
A human-readable and unique string describing the policy. We strongly suggest that you use names that are closely related with your business and security requirements, so you
can identify them more easily and also know what they mean.
+
* *Description*
+
A string with more details about this policy.
+
* *Apply Policy*
+
Defines a set of one or more policies to associate with the aggregated policy. To associate a policy you can either select an existing policy
or create a new one by selecting the type of the policy you want to create.
+
* *Decision Strategy*
+
The decision strategy for this permission.
+
* *Logic*
+
The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.

== Decision Strategy for Aggregated Policies

When creating aggregated policies, you can also define the decision strategy that will be used to determine the final decision based on the outcome from each policy.

* *Unanimous*
+
The default strategy if none is provided. In this case, _all_ policies must evaluate to a positive decision for the final decision to be also positive.
+
* *Affirmative*
+
In this case, _at least one_ policy must evaluate to a positive decision in order for the final decision to be also positive.
+
* *Consensus*
+
In this case, the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative decisions is the same, the final decision will be negative.
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`[[_policy_aggregated]]`
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`= Aggregated Policy`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`As mentioned previously, {project_name} allows you to build a policy of policies, a concept referred to as policy aggregation. You can use policy aggregation to reuse existing policies to build more complex ones and keep your permissions even more decoupled from the policies that are evaluated during the processing of authorization requests.`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00
Some updates and fixes 2017-04-25 22:52:57 +00:00			`To create a new aggregated policy, select Aggregated in the dropdown list located in the right upper corner of the policy listing.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`.Add an Aggregated Policy`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/policy/create-aggregated.png[alt="Add Aggregated Policy"]`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`Let's suppose you have a resource called _Confidential Resource_ that can be accessed only by users from the _keycloak.org_ domain and from a certain range of IP addresses.`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`You can create a single policy with both conditions. However, you want to reuse the domain part of this policy to apply to permissions that operates regardless of the originating network.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`You can create separate policies for both domain and network conditions and create a third policy based on the combination of these two policies. With an aggregated policy, you can freely combine other policies and then apply the new aggregated policy to any permission you want.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
			`[NOTE]`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`When creating aggregated policies, be mindful that you are not introducing a circular reference or dependency between policies. If a circular dependency is detected, you cannot create or update the policy.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`== Configuration`
More doc 2016-06-05 22:17:31 +00:00
			`* Name`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A human-readable and unique string describing the policy. We strongly suggest that you use names that are closely related with your business and security requirements, so you`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`can identify them more easily and also know what they mean.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Description`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A string with more details about this policy.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Apply Policy`
			`+`
[KEYCLOAK-6082] - Updating docs for authz services 2017-12-21 14:01:55 +00:00			`Defines a set of one or more policies to associate with the aggregated policy. To associate a policy you can either select an existing policy`
			`or create a new one by selecting the type of the policy you want to create.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Decision Strategy`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The decision strategy for this permission.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Logic`
			`+`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`== Decision Strategy for Aggregated Policies`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`When creating aggregated policies, you can also define the decision strategy that will be used to determine the final decision based on the outcome from each policy.`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00
			`* Unanimous`
			`+`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`The default strategy if none is provided. In this case, _all_ policies must evaluate to a positive decision for the final decision to be also positive.`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00			`+`
			`* Affirmative`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`In this case, _at least one_ policy must evaluate to a positive decision in order for the final decision to be also positive.`
First bucket of documentation from docbook. 2016-05-31 20:36:14 +00:00			`+`
			`* Consensus`
			`+`
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`In this case, the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative decisions is the same, the final decision will be negative.`