A simple example

The following is an example of an XACML policy written in ALFA:

namespace documents {
    policy topLevel {
        target clause Attributes.resourceType == "document"
        apply denyOverrides
        rule {
            permit
            condition Attributes.userClearance >=
                      Attributes.resourceClassification
        }
        rule {
            deny
            condition Attributes.documentStatus == "draft"
                && not(Attributes.documentAuthor == Attributes.subjectId)
        }
    }
}

The first line declares a namespace in which the policies exist. All ALFA documents must start with a namespace declaration. Namespaces are used to collect related policies under a shared name structure. By default the identifiers of the policies will inherit the namespace they belong to.

The second line defines a policy with the name topLevel. Naming a policy is optional, but for top level policies it is useful to define it since the namespace and the policy name are used to confirm the name of the XACML XML file that is produced by the compiler. In this case, the filename will be documents.topLevel.xml.

This policy has a target that is defined on the third line. A target is a conditional expression that determines when a policy or a rule applies. Targets are optional in both policies and rules. In the above example, the target matches if the request contains a resource type attribute with the value "document".

Note that attributes in XACML are multi-valued, so-called "bags", so any attribute in the request may contain zero or more values, and a value may even be repeated multiple times. The expression in the target matches if there is at least one matching value.

A target can contain a list of clauses that can be combined with "and" or "or". In this case there is only one expression so that structure is not visible. There is, however, another example below with a more complex target.

Within the policy there are two rules. One of the rules may permit access and the other one may deny access, depending on how the rules match the request. The policy applies a deny override algorithm to decide which gets priority in the event that both rules match. In such a case, the deny decision will receive priority.

The two rules do not contain any target; rather, they use a condition, which is another way to define how a rule or a policy matches. A condition is not limited to a special structure, unlike a target, which is why it is used in this instance.

The first rule will permit access to the document if the user's clearance is at least as high as the document's classification. The second rule will override this if the document's status is draft and the user attempting access is not the author of the document.

Note that the operators "==", "\<", etc., can be applied to bags in the condition. If the values are not bags, then the operator is applied between the two atomic values. However, if either operand is a bag, the operator is applied through the XACML any-of-any function, which means that as in the target the operator returns true if at least one combination of values causes the operator to evaluate to true. For example, if there are three authors of the document "Alice", "Bob" and "Carol", and the subject is "Alice", then the expression "Attributes.documentAuthor == Attributes.subjectId" would be true.

Some operators (e.g., "+") cannot operate on bags, so these will cause a syntax error that will be highlighted in the editor. For more details on this feature, see the operator definitions in this guide.

The attributes themselves are defined in a separate file. In this case, we have the following definitions:

namespace Attributes {
    import System.*
    attribute resourceType {
        id = "http://example.com/xacml/attr/resource/type"
        type = string
        category =resourceCat
    }
    attribute resourceClassification {
        id = "http://example.com/xacml/attr/resource/classification"
        type = integer
        category = resourceCat
    }
   
    attribute userClearance {
        id = "http://example.com/xacml/attr/subject/clearance"
        type = integer
        category = subjectCat
    }
    attribute documentStatus {
        id = "http://example.com/xacml/attr/resource/documentStatus"
        type = string
        category = resourceCat
    }
  
    attribute documentAuthor {
        id = "http://example.com/xacml/attr/resource/documentAuthor"
        type = string
        category = resourceCat
    }
    
    attribute subjectId {
        id = "urn:oasis:names:tc:xacml:1.0:subject:subject-id"
        type = string
        category = subjectCat
    }
}

These define how the attributes are translated into XACML attributes. For each attribute there is a short name, which is used when writing policies in ALFA, the full XACML attribute identifier, the data type of the attribute and the category it belongs to (subject, resource, action, environment, etc.).

Axiomatics
The Visual Studio Code extension for ALFA was developed by Axiomatics.
FOLLOW US