...
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for group, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessToto the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for group, go to step 6, else go to next step.
- if If no authorization exists for user or group: Deny Access.
- Use the most permissive from the set of authorizations found.
- if the authorizations permit requested access mode: Grant access.
- if the authorizations does do not permit requested access mode: Deny access.
...