The ADF is split into two parts:

1. The main part, doing the general work
2. The modules, called by the first part

For the main part of the ADF, there are several tasks to accomplish:

• Check every request and notification call for correct values.
• Collect some context data needed for all decisions (e.g. the ID and owner of the calling process).
• Prevent access to the RSBAC internal data (e.g. secondary storage of persistent lists).
• Remove attribute objects from general data structures for deleted objects.
• Dispatch request and notification calls to every decision module.
• Combine the module’s results into a meta policy to compute the final result.
• Perform generic logging.
• Return the final result to the AEF.
• Calls every module, in case a deleted or truncated FILE needs to be overwritten with zeros, and do so, if at least one module is asking for it.

The second part are the decision modules themselves (rule sets), which are computing the actual decisions, by checking their own rules against the data.

The modules also have to update their attributes accordingly during the notification call.

The decision modules themselves are free to do whatever necessary, to find a decision or to maintain their state variables through attributes in the data structures component. They only have to provide the specified request decision, notification and overwrite decision interfaces, and protect their private attributes against illegal access.

Table of Contents: RSBAC Handbook
Previous: Access Enforcement Facility (AEF)
Next: Data Structures Component (ACI & ACC)