Skip to content
ALFA: Abbreviated Language for Authorization - Documentation byAxiomatics

Conditions

Conditions are another way to write expressions in XACML and are more expressive than targets, which are limited to matching attributes against constant values. With conditions, you can match attributes against other attributes, manipulate attribute values, perform arithmetic, and more.

Conditions can appear in rules, policies or policy sets. Note that the XACML standard allows conditions only in rules, not in policies or policy sets. However, if the compiler encounters a condition in a policy or policy set, it will automatically generate a rule to contain the condition and a couple of extra policies with particular combining algorithms. This produces the same effect as if the condition had been written directly in the policy or policy set, which greatly simplifies the modeling of certain use cases since conditions are much more expressive than targets.

A condition is written with the keyword "condition" followed by an expression that must return a Boolean value. Expressions in turn can consist of any operators of function calls.

Here is an example of a simple condition:

condition Attributes.userClearance >= Attributes.resourceClassification

In this case, the expression consists of only a single operator to check whether at least one value of the user clearance attribute is greater than or equal to at least one value of the resource classification attribute.

XACML has a large set of functions to operate on attribute values. To call a function, use the function name that has been declared (in system.alfa typically) followed by the arguments in parenthesis. Here is an example of a condition that uses function calls:

condition
    allOf(function[stringRegexpMatch], ".*fishing.*", [Attributes.clubMembership])
    && Attributes.age > 25

This example checks that all club memberships of the subject contain the word "fishing" and that the age of the subject is greater than 25.

The function that is being called is allOf. It takes another function as an argument, which is done with the function[] syntax. The second parameter is a string and the third parameter is a bag of strings. The allOf function will apply the provided function, stringRegexpMatch, with the second argument and each value of the bag in the third argument in turn. If the stringRegexpMatch function returns true for each combination like this, then the allOf function returns true.

Axiomatics
The Visual Studio Code extension for ALFA was developed by Axiomatics.
ABOUT
About Us
Contact Us
GET SUPPORT
support@axiomatics.com
FOLLOW US
© Axiomatics 2021
Privacy PolicyCookies Policy