Targets
Targets in policies, policysets and rules are specified using the keyword "target". If the target is empty, it can be omitted.
Example:
target clause Attributes.resourceType == "document"and Attributes.documentStatus == "approved"and stringRegexpMatch("aaa.*", Attributes.subjectId)clause Attributes.actionId == "read" or Attributes.actionId == "write"
The structure of the target follows the structure of the XACML standard. At the top level, there are clauses which are ANDed together; that is, all clauses must be true for the target to match.
Within a clause there are expressions that are ORed; that is, at least one of these expressions separated by the ORs must be true for the clause to be true.
Each OR contains expressions that are ANDed together; that is, all of those expressions must be true for the OR to be true.
The expressions that are ANDed consist of XACML match expressions, which are expressed in ALFA as either operators or function calls.
To summarize the structure:
Target
Clause
OR
- Attributes.resourceType == "document"
- AND
- stringRegexpMatch("aaa.*", Attributes.subjectId)
Unless there are several expressions, the "and" and "or" need not be written out; rather, ALFA will fill in the appropriate XACML elements automatically during compile time. The "clause," however, always needs to be written out.
The match expressions in the target
The XACML 3.0 standard requires the Match element to contain an AttributeValue followed by an AttributeDesignator or AttributeSelector. ALFA makes it possible to ignore the order if the match function is commutative, or if there exists an inverse function to the match function. See the function declaration section for a detailed explanation of how this works. The standard functions are declared with inverses in system.alfa so the user typically does not need to worry about the order.
If the function is neither commutative nor has inverse function, then the order should be maintained in the match element, or an error will be shown by the compiler.
