You can translate the question and the replies:

Two custom policy applied on the same will, should the final result be "AND" or "OR" of the 2 policies' results?

Hi all, There are 2 Custom Policy. Policy-1. According to the uid user passed, append one filter to the query. It only returns ACCEPT_WITH_FILTER. Policy-2. When user's query does not satisfy some condition, return ACCEPT; otherwise, return REJECT. Now, apply the two custom policy on the SAME view, for Policy-1, it will return ACCEPT_WITH_FILTER, for Policy-2, it will return REJECT, So, what should be the final result? ACCEPT_WITH_FILTER or REJECT? Why?
custom policy conflicts
user
15-07-2023 20:26:23 -0400
code

1 Answer

Hi, Assuming your Custom Policies are assigned directly to the user, the Policies are evaluated one by one. This means that first Policy-1 will be evaluated -> returns ACCEPT_WITH_FILTER Next Policy-2 woll be evaluated -> returns REJECT As soon as one Policy returns reject, the query will be rejected. Consequently in your case the query would be rejected. For a query not to be rejected it would need to be accepted by all your user Policies. You can read more about the order the Policies are evaluated in the section [Custom View Policies](https://community.denodo.com/docs/html/browse/latest/en/vdp/developer/custom_policies/custom_policies#:~:text=If%20the%20user%20does%20not%20have%20any%20role%20and%20she%20has%20custom%20view%20policies%20assigned%20over%20the%20view%2C%20the%20Server%20evaluates%20the%20policies%20one%20by%20one.%20If%20one%20of%20the%20policies%20rejects%20the%20query%2C%20the%20query%20is%20rejected.) of the Virtual DataPort Developer Guide. If your Custom Policies are assigned to roles which are then assigned to your users, the behavior is slightly different. You will find an explanation and examples for that case too in the link above. Hope this helps!
Denodo Team
17-07-2023 11:36:19 -0400
code
You must sign in to add an answer. If you do not have an account, you can register here