$decider = new Decider(); $enforcer->setDecider($decider); // Create some Matches //Action requested by the user $match1 = new Match('StringEqual', 'property1', 'TestMatch1', $action); //Action allowed by what policy states that group can do $match2 = new Match('StringEqual', 'property1', 'TestMatch2', $actionRule); // Create a Target container for our Matches $target = new Target(); $target->addMatches(array($match1, $match2)); // Make a new Rule and add the Target to it $rule1 = new Rule(); $rule1->setTarget($target)->setId('TestRule')->setEffect('Permit')->setDescription('Test to see if there is an attribute on the subject' . 'that exactly matches the word "test"')->setAlgorithm(new DenyOverrides()); // Make two new policies and add the Rule to it (with our Match) $policy1 = new Policy(); $policy1->setAlgorithm('AllowOverrides')->setId('Policy1')->addRule($rule1); $policy2 = new Policy(); $policy2->setAlgorithm('DenyOverrides')->setId('Policy2')->addRule($rule1); // Create the subject with its own Attribute $subject = new Subject(); $subject->addAttribute(new Attribute('property1', $actionRule)); // Link the Policies to the Resource $resource = new Resource(); $resource->addPolicy($policy1)->addPolicy($policy2); $environment = null; $action = new Action(); $result = $enforcer->isAuthorized($subject, $resource, $action); /** * The Subject does have a property that's equal to "test" on the "property1" * attribute, but the default Operation is to "fail closed". The other Match, * for "test1234" failed and DenyOverrides wins so the return is false.