Abbreviated Language for Authorization

ALFA
Paradigm	Declarative programming
Designed by	Pablo Giambiagi, David Brossard
Developer	Axiomatics
First appeared	July 16, 2012;12 years ago
Filename extensions	.alfa
Website	alfa.guide
Major implementations
	Axiomatics, Rock Solid Knowledge
Influenced by
	XML, XACML
Influenced
	Rego, Cedar

Last updated July 17, 2024

The Abbreviated Language for Authorization (ALFA) is a domain-specific language used in the formulation of access-control policies.^[2]

History

Origin

XACML, the eXtensible Access Control Markup Language, uses XML as its main encoding language. Writing XACML policies directly in XACML leads to bloated, human-unfriendly text,^[3] therefore a new, more lightweight, notation was necessary. Axiomatics researcher, Pablo Giambiagi, therefore designed ALFA, the Axiomatics Language for Authorization.

ALFA maps directly into XACML. ALFA contains the same structural elements as XACML i.e. PolicySet, Policy, and Rule.

Axiomatics donates ALFA to OASIS

In March 2014, Axiomatics announced it was donating ALFA to the OASIS XACML Technical Committee^[4] in order to advance its standardization.

ALFA was consequently renamed Abbreviated Language for Authorization and filed for standardization.

Sample use cases

Medical use case: doctors can view the medical records of patients they have a relationship with.
Financial use case: employees in Singapore can view the customer accounts of employees based in Singapore.
Insurance use case: an insurance agent can approve the claim of a user if the claim is in the same region as the agent and if the claim amount is less than the agent's approval amount.

The words doctor, view, medical record, Singapore... are all examples of attribute values. Attributes make up the building blocks of policies in ABAC and consequently in ALFA.

Structure

Just like XACML, ALFA has three structural elements:

PolicySet
Policy
Rule

Like in XACML, a PolicySet can contain PolicySet and Policy elements. A Policy can contain Rule elements. A Rule contains a decision (either Permit or Deny). In addition, in ALFA, it's possible to add Rule elements to PolicySet and Policy elements. PolicySet, Policy, and Rule elements can be nested or referenced to.

In order to resolve conflicts between siblings, ALFA (as does XACML) uses combining algorithms. There are several combining algorithms that may be used.

Data types

ALFA supports all the data types that are defined in the OASIS XACML Core Specification. Some datatypes e.g. numerical (integer, double) and boolean map directly from ALFA to XACML. Others need to be converted such as date or time attributes. To convert an attribute into the relevant data type, use the "value":datatype notation. See below for examples^[5]

Native attribute values mapped directly from ALFA to XACML

String, integer, double, and boolean all map directly from ALFA to XACML. They do not need a conversion

ALFA policy using boolean attributes

 namespace exampleBoolean{   policy article{    target clause userRole == "editor" and actionId == "edit" and itemType=="article"    apply firstApplicable    rule publishedArticles{     target clause published == true     permit    }   }  }

Attribute values which need an explicit conversion

The following attribute datatypes need an explicit conversion:

Example: ALFA policy using anyURI

This policy, converts a String value to anyURI.

attributeuserDisallowedResources{category=subjectCatid="userDisallowedResources"type=string}

rule allowProfileAccess{   target clause url == "http://<host>:<port>/profile/":anyURI  permit}

Sample policies

A simple policy & rule with a condition

The following ALFA example represents a XACML policy which contains a single rule. The policy and rule both have a target. The rule also has a condition which is used to compare 2 attributes together to implement a relationship check (user ID must be equal to owner). Whenever one needs to check 2 attributes together, they must use a condition.

 namespace example{   policy article{    target clause itemType=="article"    apply firstApplicable    rule editArticle{     target clause actionId == "edit" and userRole == "editor"     permit     condition userId == owner    }   }  }

Using time in a XACML policy written in ALFA

 namespace exampleTime{   policy checkTimeAccess {    apply firstApplicable      rule checkNightAccess {        target clause role == "supervisor" and document == "medicalrecord"        condition timeInRange(timeOneAndOnly(currentTime), "22:00:00":time, "06:00:00":time)     permit    }     }  }

Policy references

ALFA can use policy (set) references. They are in fact used implicitly when doing the following.

namespace com.axiomatics{  namespace example{   /**    * A policy about what managers can do. It is linked to from the    * documents policy set.    */   policy managers{    target clause role == "manager"    apply firstApplicable    rule allowSameDepartment{     condition user.department == document.department     permit    }   }  }    /**   * The main policy. It references the managers policy   */  policyset documents{   target clause resourceType == "document"   apply firstApplicable   // The following is a policy reference   example.managers  } }

Obligations and advice

Obligations and advice are statements in XACML that can be returned from the PDP to the PEP alongside the decision (Permit, Deny...). Obligations and advice are triggered on either Permit or Deny.

namespace example{     import Attributes.*     advice notify = "example.notify"          policy readDocuments{         target clause actionId=="read" and objectType=="document"         apply firstApplicable         /**          * This rule denies access if the time is not between 9 and 5          */         rule denyOutsideHours{             target clause currentTime<"09:00:00":time or currentTime>"17:00:00":time             deny             on deny{                 advice notify{                     acme.obligations.message = "You cannot access this service outside office hours"                 }             }         }         /**          * This rule grants managers access          */         rule allowManagers{             target clause acme.user.role=="manager"             permit         }         /**          * This rule catches anything else that might have fallen to this point          */         rule failsafeDeny{             deny             on deny{                 advice notify{                     acme.obligations.message = "Your request did not match the policy. Please try again"                 }             }         }     }  }

Break the glass authorization scenario

Start by defining the attributes and obligations:

namespace com.axiomatics.examples{    import Attributes.*    obligation breakTheGlass = "com.axiomatics.examples.breakTheGlass"  obligation auditLog = "com.axiomatics.examples.auditLog"    namespace user{   attribute role{    category = subjectCat    id = "com.axiomatics.examples.user.role"    type = string   }   attribute identifier{    category = subjectCat    id = "com.axiomatics.examples.user.identifier"    type = string   }  }  namespace patient{   attribute assignedDoctor{    category = resourceCat    id = "com.axiomatics.examples.user.assignedDoctor"    type = string   }  }  namespace record{   attribute identifier{    category = resourceCat    id = "com.axiomatics.examples.record.identifier"    type = string   }  }  attribute actionId{   category = actionCat   id = "com.axiomatics.examples.actionId"   type = string  }  attribute objectType{   category = resourceCat   id = "com.axiomatics.examples.objectType"   type = string  }  attribute isEmergency{   category = environmentCat   id = "com.axiomatics.examples.isEmergency"   type = boolean  }  attribute message{   category = environmentCat   id = "com.axiomatics.examples.message"   type = string  }

The policy can now be defined with 3 rules:

the first rule is for normal access (doctors can view records of patients they are assigned to.
the second rule is for special access because the glass has been broken.
the third rule is the rule that triggers the obligation telling the user how to break the glass.

 /**   * Control access to medical records   */  policy accessMedicalRecord{   target clause actionId == "view" and objectType == "medical record"   apply firstApplicable   /**    * Doctors can view medical records of patients they are assigned to    */   rule allowRegularAccess{    target clause user.role == "doctor"    condition patient.assignedDoctor == user.identifier    permit   }   /**    * Doctors can view any medical reason in the case of an emergency    */   rule allowBreakTheGlassAccess{    target clause isEmergency == true    permit    on permit{     obligation auditLog{      message = "A doctor has gotten access to a medical record by breaking the glass"      user.identifier = user.identifier      record.identifier = record.identifier      currentDateTime = currentDateTime     }         }   }   /**    * Deny other accesses. If access is normally denied, tell doctors how    * they can get access by "breaking the glass".    */   rule denyAccess{    deny    on deny{     obligation breakTheGlass{      message = "You do not have access to this medical record. To be granted access, set the isEmergency flag to true."      record.identifier = record.identifier      currentDateTime = currentDateTime     }    }   }  } }

Time-based fine-grained authorization policy

The following is an example of an ABAC policy implemented using ALFA. It uses time as attributes. It uses a XACML condition to compare the currentTime attribute to the value representing 5pm (expressed in 24-hour time). Note the use of :time to convert the String value to the right data type.

rule allowAfter5pm{ permit condition currentTime > "17:00:00":time }

HL7 policies

Use cases

HL7 defines a series of medical access control use cases which can be easily defined in ALFA.

Sample ALFA policies for HL7

Access control based on category of action

<nowiki/>  /*   * Access Control Based on Category of Action   * URL: https://web.archive.org/web/20160304081703/http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Access_Control_Based_on_Category_of_Action#Access_Control_Based_on_Category_of_Action   * Access to progress notes   */  policy progressNotes{   target clause objectType=="progress note"   apply firstApplicable   /*    * A primary physician can create a patient's progress note    */   rule createNote{    target clause role=="physician" and action=="create"     condition primaryPhysician==requestorId    permit   }   /*    * A physician can update a patient's progress note he/she wrote themselves    */   rule updateNote{    target clause role=="physician" and action=="update"    condition author==requestorId    permit   }   /*    * Safety rule to explicitly deny access unless one of the matching rules above has been matched    */   rule safetyHarness{    deny   }  }

Implementations

VS Code extension

A free extension for the VS Code editor that supports code completion, syntax highlighting, refactoring, and go-to-definition navigation. It can also compile ALFA into XACML 3.0.^[6]

Plugin for Eclipse

The ALFA Plugin for Eclipse is a tool that converts your Eclipse programming IDE to a dedicated editor of authorization policies using ALFA syntax. ALFA policies can then easily be converted into XACML 3.0 policies and loaded into your XACML policy management tool.^[7]

Related Research Articles

XSD, a recommendation of the World Wide Web Consortium (W3C), specifies how to formally describe the elements in an Extensible Markup Language (XML) document. It can be used by programmers to verify each piece of item content in a document, to assure it adheres to the description of the element it is placed in.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

XML namespaces are used for providing uniquely named elements and attributes in an XML document. They are defined in a W3C recommendation. An XML instance may contain element or attribute names from more than one XML vocabulary. If each vocabulary is given a namespace, the ambiguity between identically named elements or attributes can be resolved.

A business rules engine is a software system that executes one or more business rules in a runtime production environment. The rules might come from legal regulation, company policy, or other sources. A business rule system enables these company policies and other operational decisions to be defined, tested, executed and maintained separately from application code.

The eXtensible Access Control Markup Language (XACML) is an XML-based standard markup language for specifying access control policies. The standard, published by OASIS, defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.

Extended file attributes are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem. Unlike forks, which can usually be as large as the maximum file size, extended attributes are usually limited in size to a value significantly smaller than the maximum file size. Typical uses include storing the author of a document, the character encoding of a plain-text document, or a checksum, cryptographic hash or digital certificate, and discretionary access control information.

Catalogue Service for the Web (CSW), sometimes seen as Catalogue Service - Web, is a standard for exposing a catalogue of geospatial records in XML on the Internet. The catalogue is made up of records that describe geospatial data, geospatial services, and related resources.

The Web Application Description Language (WADL) is a machine-readable XML description of HTTP-based web services. WADL models the resources provided by a service and the relationships between them. WADL is intended to simplify the reuse of web services that are based on the existing HTTP architecture of the Web. It is platform and language independent and aims to promote reuse of applications beyond the basic use in a web browser. WADL was submitted to the World Wide Web Consortium by Sun Microsystems on 31 August 2009, but the consortium has no current plans to standardize it. WADL is the REST equivalent of SOAP's Web Services Description Language (WSDL), which can also be used to describe REST web services.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

The Pronunciation Lexicon Specification (PLS) is a W3C Recommendation, which is designed to enable interoperable specification of pronunciation information for both speech recognition and speech synthesis engines within voice browsing applications. The language is intended to be easy to use by developers while supporting the accurate specification of pronunciation information for international use.

The Internationalization Tag Set (ITS) is a set of attributes and elements designed to provide internationalization and localization support in XML documents.

Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.

WS-Security Policy is a web services specification, created by IBM and 12 co-authors, that has become an OASIS standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security, WS-Trust and WS-Secure Conversation by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

Animation of Scalable Vector Graphics, an open XML-based standard vector graphics format is possible through various means:

The Office Open XML file formats are a set of file formats that can be used to represent electronic office documents. There are formats for word processing documents, spreadsheets and presentations as well as specific formats for material such as mathematical formulas, graphics, bibliographies etc.

gSOAP is a C and C++ software development toolkit for SOAP/XML web services and generic XML data bindings. Given a set of C/C++ type declarations, the compiler-based gSOAP tools generate serialization routines in source code for efficient XML serialization of the specified C and C++ data structures. Serialization takes zero-copy overhead.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

Web API security entails authenticating programs or users who are invoking a web API.

References

↑ Gebel, Gerry (16 July 2012). "Axiomatics releases free plugin for the Eclipse IDE to author XACML3.0 policies". Axiomatics. Retrieved 31 May 2017.
↑ "Simplifying XACML – the Axiomatics ALFA plugin for Eclipse IDE". KuppingerCole. Retrieved 2017-02-10.
↑ "XACML 3, section 4.2.3" (PDF). OASIS. Retrieved 2 May 2021.
↑ https://www.linkedin.com/grp/post/3934718-5851696088934801412 ^{[ self-published source ]}
↑ https://www.identityserver.com/documentation/enforcer/alfa/QuickGuideToAlfa/
↑ "ALFA - Visual Studio Marketplace". 2021-09-10.
↑ "How Can I Use Policy References in ALFA?". 2016-10-10.

External References

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Gebel, Gerry (16 July 2012). "Axiomatics releases free plugin for the Eclipse IDE to author XACML3.0 policies". Axiomatics. Retrieved 31 May 2017.

[2] "Simplifying XACML – the Axiomatics ALFA plugin for Eclipse IDE". KuppingerCole. Retrieved 2017-02-10.

[3] "XACML 3, section 4.2.3" (PDF). OASIS. Retrieved 2 May 2021.

[4] ttps://www.linkedin.com/grp/post/3934718-5851696088934801412 ^{[ self-published source ]}

[5] ttps://www.identityserver.com/documentation/enforcer/alfa/QuickGuideToAlfa/

[6] "ALFA - Visual Studio Marketplace". 2021-09-10.

[7] "How Can I Use Policy References in ALFA?". 2016-10-10.

[1]

[2]

[3]

[4]

[5]

[6]

[7]