ALFA (XACML)

ALFA, the Abbreviated Language For Authorization, is a pseudocode language used in the formulation of access-control policies.^[1]

History

Origin

XACML, the eXtensible Access Control Markup Language, uses XML as its main encoding language. Developers have always struggled to write XML and therefore a new, more lightweight, notation was necessary. Axiomatics researcher, Pablo Giambiagi, therefore designed ALFA, the Axiomatics Language for Authorization.

ALFA maps directly into XACML. ALFA contains the same structural elements as XACML i.e. PolicySet, Policy, and Rule.

Axiomatics donates ALFA to OASIS

In March 2014, Axiomatics announced it was donating ALFA to the OASIS XACML Technical Committee^[2] in order to advance its standardization.

ALFA was consequently renamed Abbreviated Language for Authorization and filed for standardization. Its current version can be accessed here.

Sample Use Cases

Medical use case: doctors can view the medical records of patients they have a relationship with.
Financial use case: employees in Singapore can view the customer accounts of employees based in Singapore.
Insurance use case: an insurance agent can approve the claim of a user if the claim is in the same region as the agent and if the claim amount is less than the agent's approval amount.

The words doctor, view, medical record, Singapore... are all examples of attribute values. Attributes make up the building blocks of policies in ABAC and consequently in ALFA.

Data types

ALFA supports all the data types that are defined in the OASIS XACML Core Specification.

Examples

ALFA Policy using Boolean Attributes

	namespace example{
		policy article{
			target clause userRole == "editor" and actionId == "edit" and itemType=="article"
			apply firstApplicable
			rule publishedArticles{
				target clause published == true
				permit
			}
		}
	}

Sample Policy

A simple policy & rule with a condition

The following ALFA example represents a XACML policy which contains a single rule. The policy and rule both have a target. The rule also has a condition which is used to compare 2 attributes together to implement a relationship check (user ID must be equal to owner). Whenever one needs to check 2 attributes together, they must use a condition.

	namespace example{
		policy article{
			target clause itemType=="article"
			apply firstApplicable
			rule editArticle{
				target clause actionId == "edit" and userRole == "editor"
				permit
				condition userId == owner
			}
		}
	}

HL7 Policies

Use Cases

HL7 defines a series of medical access control use cases which can be easily defined in ALFA.

Sample ALFA policies for HL7

Access Control Based on Category of Action

	/*
	 * Access Control Based on Category of Action
	 * URL: http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Access_Control_Based_on_Category_of_Action
	 * Access to progress notes
	 */
	policy progressNotes{
		target clause objectType=="progress note"
		apply firstApplicable
		/*
		 * A primary physician can create a patient's progress note
		 */
		rule createNote{
			target clause role=="physician" and action=="create"	
			condition primaryPhysician==requestorId
			permit
		}
		/*
		 * A physician can update a patient's progress note he/she wrote themselves
		 */
		rule updateNote{
			target clause role=="physician" and action=="update"
			condition author==requestorId
			permit
		}
		/*
		 * Safety rule to explicitly deny access unless one of the matching rules above has been matched
		 */
		rule safetyHarness{
			deny
		}
	}

The ALFA plugin for Eclipse

The ALFA Plugin for Eclipse is a tool that converts your Eclipse programming IDE to a dedicated editor of authorization policies using ALFA syntax. ALFA policies can then easily be converted into real XACML 3.0 policies and loaded into your XACML policy management tool.^[3]

Time-based fine-grained authorization policy

The following is an example of an ABAC policy implemented using ALFA. It uses time as attributes. It uses a XACML condition to compare the currentTime attribute to the value representing 5pm (expressed in 24-hour time). Note the use of :time to convert the String value to the right data type.

rule allowAfter5pm{		
	permit
	condition currentTime > "17:00:00":time
}

References

External References

European analysts talk about ALFA

A Template-Based Policy Generation Interface for RESTful Web Services

This article is issued from Wikipedia - version of the Tuesday, May 03, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.