ALFA (XACML)


ALFA, the Abbreviated Language For Authorization, is a pseudocode language used in the formulation of access-control policies.

History

Origin

, the eXtensible Access Control Markup Language, uses XML as its main encoding language. Developers have always struggled to write XML and therefore a new, more lightweight, notation was necessary. Axiomatics researcher, Pablo Giambiagi, therefore designed ALFA, the Axiomatics Language for Authorization.
ALFA maps directly into XACML. ALFA contains the same structural elements as XACML i.e. PolicySet, Policy, and Rule.

Axiomatics donates ALFA to OASIS

In March 2014, Axiomatics announced it was donating ALFA to the OASIS XACML Technical Committee in order to advance its standardization.
ALFA was consequently renamed Abbreviated Language for Authorization and filed for standardization. Its current version can be accessed .

Sample Use Cases

The words doctor, view, medical record, Singapore... are all examples of attribute values. Attributes make up the building blocks of policies in ABAC and consequently in ALFA.

Structure

Just like XACML, ALFA has three structural elements:
Like in XACML, a PolicySet can contain PolicySet and Policy elements. A Policy can contain Rule elements. A Rule contains a decision. In addition, in ALFA, it's possible to add Rule elements to PolicySet and Policy elements. PolicySet, Policy, and Rule elements can be nested or referenced to.
In order to resolve conflicts between siblings, ALFA uses combining algorithms. There are several combining algorithms that may be used. Their behavior is defined in this

Data types

ALFA supports all the data types that are defined in the OASIS XACML Core Specification. Some datatypes e.g. numerical and boolean map directly from ALFA to XACML. Others need to be converted such as date or time attributes. To convert an attribute into the relevant data type, use the "value":datatype notation. See below for examples

Native attribute values mapped directly from ALFA to XACML

String, integer, double, and boolean all map directly from ALFA to XACML. They do not need a conversion

ALFA Policy using Boolean Attributes


namespace exampleBoolean

Attribute values which need an explicit conversion

The following attribute datatypes need an explicit conversion:
In this policy, we convert a String value to anyURI.

attribute userBlacklistedResources


rule allowProfileAccess

Sample Policies

A simple policy & rule with a condition

The following ALFA example represents a XACML policy which contains a single rule. The policy and rule both have a target. The rule also has a condition which is used to compare 2 attributes together to implement a relationship check. Whenever one needs to check 2 attributes together, they must use a condition.
namespace example

Using time in a XACML policy written in ALFA


namespace exampleTime

Obligations & Advice in ALFA

Obligations and advice are statements in XACML that can be returned from the PDP to the PEP alongside the decision. Obligations and advice are triggered on either Permit or Deny.

namespace example

Break the Glass Authorization Scenario

Let's start by defining the attributes and obligations we will use.

namespace com.axiomatics.examples

Time-based fine-grained authorization policy

The following is an example of an ABAC policy implemented using ALFA. It uses time as attributes. It uses a XACML condition to compare the currentTime attribute to the value representing 5pm. Note the use of :time to convert the String value to the right data type.

rule allowAfter5pm

HL7 Policies

Use Cases

defines a series of medical access control which can be easily defined in ALFA.

Sample ALFA policies for HL7

Access Control Based on Category of Action

The ALFA plugin for Eclipse

The ALFA Plugin for Eclipse is a tool that converts your Eclipse programming IDE to a dedicated editor of authorization policies using ALFA syntax. ALFA policies can then easily be converted into real XACML 3.0 policies and loaded into your XACML policy management tool.