Novell Documentation: Volera Excelerator XL 1.0 - Evaluating Your Access Control Policies

Evaluating Your Access Control Policies

The device's System Controller provides an option for evaluating the rules you have created against any request information you specify. For more information, see "Access Control Evaluate" in Volera VS 2.0 Management Interface Help.

The following points summarize how the system sorts and evaluates active rules.

All of the active rules in all active policies for the stage that applies to a request are sorted together.
In other words, when a new connection request is received, all of the rules in all of the new connection policies will be evaluated until either one of the rules is true or all of the rules have been evaluated.

The same statement applies to user requests---all user request policies and rules are considered.
Priority number is the first determiner in the sorting process.
All of the priority 1 rules will be evaluated before any of the priority 2 rules are evaluated, and so on.
Action is the second determiner---block first, allow second.
All rules of a given priority with a block action are executed before any rules with the same priority and an allow action.

In other words
- First, all of the priority 1 block rules are evaluated.
- Second, all of the priority 1 allow rules are evaluated
- Third, all of the priority 2 block rules are evaluated.
- Etc.
Policy order (the order in which policies were enabled) and rule order (the order in which rules are listed within a policy) are always maintained through each sorting operation.
The effect of this is that, if priority and action are equal for two or more rules, the rules will be executed in policy order and then rule order within the policy. This is further explained in A Final Word about Policy Order.

Showing and Changing the Enabled Order of Policies

You can quickly see the order in which access control policies were enabled as follows:

In the device's System Controller, click the Configuration tab > Access Control Evaluate.
The Enabled Policies field lists all enabled policies in policy-enabled-order.
At the CLI, enter
show policy

All enabled access control policies are displayed in the order in which they were enabled.

You can change the enabled order of policies by disabling any policies you want to change and then re-enabling them in the order you want them sorted.

An Example of Rule Sorting and Evaluation Order

To further understand how rules are sorted for request evaluation, consider the example in Table 10

This shows the configuration for a cache device that has two access control policies, each of which contains four rules with various priorities and actions.

Each row in the table represents a rule.
Each rule is assigned a reference number so you can track how the rule order changes as they are sorted for request evaluation.
To illustrate how policy enabled order affects rule sorting, the example shown in Table 10 assumes that policy One (rows 1 through 4) was enabled after policy Two (rows 5 through 8).

Table 10. Rules Listed in Policy and Rule Number Order

Reference Number	Policy	Rule Number	Priority	Action
1.	Two	1	2	Allow
2.	Two	2	2	Block
3.	Two	3	3	Block
4.	Two	4	5	Allow
5.	One	1	2	Allow
6.	One	2	2	Allow
7.	One	3	5	Block
8.	One	4	1	Block

Priority Is First

First, the rules are sorted by priority order to yield the order shown in Table 11.

Table 11. Rules Sorted by Priority

Reference Number	Policy	Rule Number	Priority	Action
8.	One	4	1	Block
1.	Two	1	2	Allow
2.	Two	2	2	Block
5.	One	1	2	Allow
6.	One	2	2	Allow
3.	Two	3	3	Block
4.	Two	4	5	Allow
7.	One	3	5	Block

Action Is Second

Next the rules are sorted by action: block rules first, allow rules second.

In Table 12, reference numbers 2 and 7 change position within their priorities. The result is the order in which the rules will be evaluated for requests coming into the cache device.

Table 12. Rules Sorted by Action within Priorities

Reference Number	Policy	Rule Number	Priority	Action
8.	One	4	1	Block
2.	Two	2	2	Block
1.	Two	1	2	Allow
5.	One	1	2	Allow
6.	One	2	2	Allow
3.	Two	3	3	Block
7.	One	3	5	Block
4.	Two	4	5	Allow

Policy-Enabled-Order and Rule-Number-Order Are Maintained

Note that in Table 12, Reference Numbers 1 and 5 have the same priority, the same assigned action, and both are the first rule within their respective policies. Reference number 1 is still listed first, however, because policy Two was enabled before policy One and the policy order has been maintained.

A Final Word about Policy Order

As explained earlier, the enabled order of policies affects the order in which rules with the same priority and action are evaluated.

However, this will rarely be significant since the evaluation order of rules with the same priority and action would never affect the outcome for a given request.

The only thing to consider is a fine-tuning issue. If you have a rule that determines access for the majority of requests, and that rule has the same priority and action as other rules that rarely determine access, you might want to have the policy that contains the rule enabled first and the often-used rule listed before seldom-used rules in the policy. This will ensure that the rule that applies most often is the one the system evaluates first. Other rules would only be evaluated when the first rule doesn't apply.