ALFA, the Abbreviated Language For Authorization, is a pseudocode language used in the formulation of access-control policies.
Contents
- Origin
- Axiomatics donates ALFA to OASIS
- Sample Use Cases
- Data types
- Native attribute values mapped directly from ALFA to XACML
- Attribute values which need an explicit conversion
- Example ALFA Policy using anyURI
- A simple policy rule with a condition
- Policy References in ALFA
- Break the Glass Authorization Scenario
- Time based fine grained authorization policy
- Use Cases
- Sample ALFA policies for HL7
- The ALFA plugin for Eclipse
- References
Origin
XACML, the eXtensible Access Control Markup Language, uses XML as its main encoding language. Developers have always struggled to write XML and therefore a new, more lightweight, notation was necessary. Axiomatics researcher, Pablo Giambiagi, therefore designed ALFA, the Axiomatics Language for Authorization.
ALFA maps directly into XACML. ALFA contains the same structural elements as XACML i.e. PolicySet, Policy, and Rule.
Axiomatics donates ALFA to OASIS
In March 2014, Axiomatics announced it was donating ALFA to the OASIS XACML Technical Committee in order to advance its standardization.
ALFA was consequently renamed Abbreviated Language for Authorization and filed for standardization. Its current version can be accessed here.
Sample Use Cases
The words doctor, view, medical record, Singapore... are all examples of attribute values. Attributes make up the building blocks of policies in ABAC and consequently in ALFA.
Data types
ALFA supports all the data types that are defined in the OASIS XACML Core Specification. Some datatypes e.g. numerical (integer, double) and boolean map directly from ALFA to XACML. Others need to be converted such as date or time attributes. To convert an attribute into the relevant data type, use the "value":datatype notation. See below for examples
Native attribute values mapped directly from ALFA to XACML
String, integer, double, and boolean all map directly from ALFA to XACML. They do not need a conversion
Attribute values which need an explicit conversion
The following attribute datatypes need an explicit conversion:
Example: ALFA Policy using anyURI
In this policy, we convert a String value to anyURI.
A simple policy & rule with a condition
The following ALFA example represents a XACML policy which contains a single rule. The policy and rule both have a target. The rule also has a condition which is used to compare 2 attributes together to implement a relationship check (user ID must be equal to owner). Whenever one needs to check 2 attributes together, they must use a condition.
Policy References in ALFA
ALFA can use policy (set) references. They are in fact used implicitly when doing the following.
Break the Glass Authorization Scenario
Let's start by defining the attributes and obligations we will use.
We can now define the policy with 3 rules:
Time-based fine-grained authorization policy
The following is an example of an ABAC policy implemented using ALFA. It uses time as attributes. It uses a XACML condition to compare the currentTime attribute to the value representing 5pm (expressed in 24-hour time). Note the use of :time to convert the String value to the right data type.
Use Cases
HL7 defines a series of medical access control use cases which can be easily defined in ALFA.
Sample ALFA policies for HL7
Access Control Based on Category of Action
The ALFA plugin for Eclipse
The ALFA Plugin for Eclipse is a tool that converts your Eclipse programming IDE to a dedicated editor of authorization policies using ALFA syntax. ALFA policies can then easily be converted into real XACML 3.0 policies and loaded into your XACML policy management tool.