*** Welcome to piglix ***

ALFA (XACML)

ALFA
Paradigm Declarative programming
Designed by Pablo Giambiagi
Developer Axiomatics
First appeared July 16, 2012; 5 years ago (2012-07-16)
Filename extensions .alfa
Website link
Major implementations
Axiomatics
Influenced by
XML, XACML

ALFA, the Abbreviated Language For Authorization, is a pseudocode language used in the formulation of access-control policies.

XACML, the eXtensible Access Control Markup Language, uses XML as its main encoding language. Developers have always struggled to write XML and therefore a new, more lightweight, notation was necessary. Axiomatics researcher, Pablo Giambiagi, therefore designed ALFA, the Axiomatics Language for Authorization.

ALFA maps directly into XACML. ALFA contains the same structural elements as XACML i.e. PolicySet, Policy, and Rule.

In March 2014, Axiomatics announced it was donating ALFA to the OASIS XACML Technical Committee in order to advance its standardization.

ALFA was consequently renamed Abbreviated Language for Authorization and filed for standardization. Its current version can be accessed here.

The words doctor, view, medical record, Singapore... are all examples of attribute values. Attributes make up the building blocks of policies in ABAC and consequently in ALFA.

ALFA supports all the data types that are defined in the OASIS XACML Core Specification. Some datatypes e.g. numerical (integer, double) and boolean map directly from ALFA to XACML. Others need to be converted such as date or time attributes. To convert an attribute into the relevant data type, use the "value":datatype notation. See below for examples

String, integer, double, and boolean all map directly from ALFA to XACML. They do not need a conversion

The following attribute datatypes need an explicit conversion:

In this policy, we convert a String value to anyURI.

The following ALFA example represents a XACML policy which contains a single rule. The policy and rule both have a target. The rule also has a condition which is used to compare 2 attributes together to implement a relationship check (user ID must be equal to owner). Whenever one needs to check 2 attributes together, they must use a condition.

ALFA can use policy (set) references. They are in fact used implicitly when doing the following.

Obligations and advice are statements in XACML that can be returned from the PDP to the PEP alongside the decision (Permit, Deny...). Obligations and advice are triggered on either Permit or Deny.


...
Wikipedia

...