The PSL language utilizes two types of security policies: rule policies and expression policies.
The more frequently used type in a solution security policy description are rule policies. They return a decision of "allowed" or "denied". In contrast to them, expression policies return a specific value, such as the current state of the class object that can be used in arguments of other policies that called this expression policy.
Rule policies
A rule policy returns a decision of either "allowed" or "denied".
For example:
/* The startup of the "Server" entity is allowed only if the "flow_instance" object has the "ready_to_start" state. */
execute dst=Server {
flow_instance.allow {sid: dst_sid, states: ["ready_to_start"]}
}
Some rule policies can change the state of a class object whose methods they provide. For example, a flow_instance.enter; policy switches the flow_instance object to the state indicated in the policy argument.
The enter policy changes the state of a class object only if the event is not bound to other policies or if all bound policies returned a decision of "allowed". This rule applies to all rule policies that change the state of an object.
Expression policies
An expression policy returns a value that can be used in the arguments of other policies that call this expression policy.
For example, this value can be used in a multiple choice declaration. The choice declaration lets you link an event to various rule policies depending on the value returned by the expression policy.
An example of an expression policy is a query () policy, which returns the current state of a Flow class object:
/* When the "ResourceDriver" entity sends a request, the state of the "service_flow" object will be checked.
If "service_flow" is in the "started" or "stopped" state, sending the request is allowed,
otherwise it is denied. */
request src=ResourceDriver {
choice (service_flow.query {sid: src_sid}) {
"started" : grant ()
"stopped" : grant ()
_ : deny ()
}
}
Page top