...
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for group, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessToto the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for group, go to step 6, else go to next step.
- If no authorization exists for user or group: Deny Allow Access.
- Use the most least permissive from the set of authorizations found.
- if the authorizations permit requested access mode: Grant access.
- if the authorizations do not permit requested access mode: Deny access.
...