HOME

TheInfoList



Click Here for Items Related To - ALFA (XACML)
OR:
ALFA (XACML) on:   [Wikipedia]   [Google]   [Amazon]

The Abbreviated Language for Authorization (ALFA) is a
domain-specific language A domain-specific language (DSL) is a computer language specialized to a particular application domain. This is in contrast to a general-purpose language (GPL), which is broadly applicable across domains. There are a wide variety of DSLs, ranging ...
used in the formulation of access-control policies.


History


Origin

XACML, the eXtensible Access Control Markup Language, uses XML as its main encoding language. Writing XACML policies directly in XACML leads to bloated, human-unfriendly text, therefore a new, more lightweight, notation was necessary. Axiomatics researcher, Pablo Giambiagi, therefore designed ALFA, the Axiomatics Language for Authorization. ALFA maps directly into XACML. ALFA contains the same structural elements as XACML i.e. PolicySet, Policy, and Rule.


Axiomatics donates ALFA to OASIS

In March 2014, Axiomatics announced it was donating ALFA to the
OASIS In ecology, an oasis (; : oases ) is a fertile area of a desert or semi-desert environmentABAC and consequently in ALFA.


Structure

Just like XACML, ALFA has three structural elements: * PolicySet * Policy * Rule Like in XACML, a PolicySet can contain PolicySet and Policy elements. A Policy can contain Rule elements. A Rule contains a decision (either Permit or Deny). In addition, in ALFA, it's possible to add Rule elements to PolicySet and Policy elements. PolicySet, Policy, and Rule elements can be nested or referenced to. In order to resolve conflicts between siblings, ALFA (as does XACML) uses combining algorithms. There are several combining algorithms that may be used.


Data types

ALFA supports all the
data types In computer science and computer programming, a data type (or simply type) is a collection or grouping of data values, usually specified by a set of possible values, a set of allowed operations on these values, and/or a representation of these ...
that are defined in the OASIS XACML Core Specification. Some datatypes e.g. numerical (integer, double) and boolean map directly from ALFA to XACML. Others need to be converted such as date or time attributes. To convert an attribute into the relevant data type, use the "value":datatype notation. See below for examples


Native attribute values mapped directly from ALFA to XACML

String, integer, double, and boolean all map directly from ALFA to XACML. They do not need a conversion


ALFA policy using boolean attributes

namespace exampleBoolean


Attribute values which need an explicit conversion

The following attribute datatypes need an explicit conversion: * http://www.w3.org/2001/XMLSchema#time * http://www.w3.org/2001/XMLSchema#date * http://www.w3.org/2001/XMLSchema#dateTime * http://www.w3.org/2001/XMLSchema#anyURI * http://www.w3.org/2001/XMLSchema#hexBinary * http://www.w3.org/2001/XMLSchema#base64Binary * http://www.w3.org/2001/XMLSchema#dayTimeDuration * http://www.w3.org/2001/XMLSchema#yearMonthDuration * urn:oasis:names:tc:xacml:1.0:data-type:x500Name * urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress * urn:oasis:names:tc:xacml:2.0:data-type:dnsName * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression


Example: ALFA policy using anyURI

This policy, converts a String value to anyURI. attribute userDisallowedResources rule allowProfileAccess


Sample policies


A simple policy & rule with a condition

The following ALFA example represents a XACML policy which contains a single rule. The policy and rule both have a target. The rule also has a condition which is used to compare 2 attributes together to implement a relationship check (user ID must be equal to owner). Whenever one needs to check 2 attributes together, they must use a condition. namespace example


Using time in a XACML policy written in ALFA

namespace exampleTime


Policy references

ALFA can use policy (set) references. They are in fact used implicitly when doing the following. namespace com.axiomatics


Obligations and advice

Obligations and advice are statements in XACML that can be returned from the PDP to the PEP alongside the decision (Permit, Deny...). Obligations and advice are triggered on either Permit or Deny. namespace example


Break the glass authorization scenario

Start by defining the attributes and obligations: namespace com.axiomatics.examples


Time-based fine-grained authorization policy

The following is an example of an ABAC policy implemented using ALFA. It uses time as attributes. It uses a XACML condition to compare the currentTime attribute to the value representing 5pm (expressed in 24-hour time). Note the use of :time to convert the String value to the right data type. rule allowAfter5pm


HL7 policies


Use cases

HL7 defines a series of medical access contro
use cases
which can be easily defined in ALFA.


Sample ALFA policies for HL7


= Access control based on category of action

=


Implementations


VS Code extension

A free extension for the VS Code editor that supports code completion, syntax highlighting, refactoring, and go-to-definition navigation. It can also compile ALFA into XACML 3.0.


Plugin for Eclipse

The ALFA Plugin for Eclipse is a tool that converts your Eclipse programming IDE to a dedicated editor of authorization policies using ALFA syntax. ALFA policies can then easily be converted into XACML 3.0 policies and loaded into your XACML policy management tool.


References

{{reflist


External References


European analysts talk about ALFA

A Template-Based Policy Generation Interface for RESTful Web Services
XML-based programming languages