How Can I Use Policy References in ALFA?

Joffry Ferrater   ·   Monday, October 10th, 2016

The Abbreviated Language For Authorization (Wikipedia) or ALFA is a domain specific language used to express XACML authorization policies. It is by far much easier to work with than writing the raw XML. Depending on who you ask it is easier to understand and work with than UI tools.

Currently there is only one way to write an ALFA policy and that is to use the ALFA plug-in for Eclipse. This is not going to be a post about ALFA in general but more specifically about how to define and use Policy and PolicySet references and what the end result ends up being.

Defining a Policy and PolicySet

Below is a very simple PolicySet and Policy defined. As you will understand in a moment, this could essentially be the root policy that is used by a Policy Decision Point (PDP).

namespace com.axiomatics {

policyset financial{
    apply firstApplicable

policy transactions{
apply firstApplicable
}
}
}

The PolicySet and Policy are for demonstration purposes. As you can see they don’t actually do anything since no target and no rule with a decision is defined.

In the above example the Policy named ‘transactions’ is nested inside of a PolicySet called ‘financial’. From an output perspective this generates a single XML file in Eclipse when the .alfa file is saved. The policy in the XML file is the root PolicySet named ‘financial’. If we open this file we can find the nested ‘transactions’ Policy inside the financial PolicySet.

Only the ‘financial’ xml is generated in Eclipse and we cannot visually see the ‘transactions’ policy unless we opened com.axaiomatics.financial.xml.

Referencing a Policy and a PolicySet

Just like in programming where a method can be defined centrally and called many times to execute the same code, a PolicySet or a Policy can be referenced several times from multiple locations. To achieve this, the ALFA code from the previous example would look like this.

namespace com.axiomatics {
  policyset financial{
    apply firstApplicable

The difference here is that the Policy transaction has been defined outside of the PolicySet financial and is then referenced (called) by its name in one single line inside of PolicySet financial.

The difference in the output in Eclipse is that Policy transaction now generates its own XACML artifact in a separate XML file: we end up with both the ‘financial’ and the ‘transactions’ XML files and within the ‘financial’ policy file the separate ‘transactions’ policy is referenced.

The transaction Policy can also be referenced from other PolicySet’s. Here from a PolicySet named insurance.

namespace com.axiomatics {
  policyset financial{
    apply firstApplicable

transaction
}

policyset insurance{
apply firstApplicable

transaction
}

policy transaction{
apply firstApplicable
}
}

Note that it is also possible to reference a PolicySet in the same way that the policy itself is referenced above.

Conclusion

Policy references can be very useful when the same Policy or PolicySet is needed in multiple places. The Policy or PolicySet can then simply be “called” similar to how a method is called in other programming languages. When the reference is called that specific Policy or PolicySet will be entered by the PDP when iterating through the entire policy to evaluate an authorization request.

Further reading

eXtensible Access Control Markup Language (XACML) Version 3.0 – PolicySetIdReference

eXtensible Access Control Markup Language (XACML) Version 3.0 – PolicyIdReference