Download your copy of our State of Authorization: Playbook Edition Get it now »

Ten years of ALFA. Wait…what?

The evolution of access control has significantly changed. With more than a decade of ALFA, let’s take a look back at its history.

Over the last ten years, the evolution of access control has significantly changed and clearly shows the need for streamlining as well as encouraging and adopting policy creation.

The Abbreviated Language for Authorization (ALFA) has helped fulfill some of those changes since it was created just over ten years ago.

To celebrate more than a decade with ALFA, let’s take a look back at the history of the ALFA policy language.

The birth of ALFA

The need for ALFA came from the fact eXtensible Access Control Markup Language (XACML) was created in the heyday of service-oriented architecture (SOA).

It is based on XML (Extensible Markup Language), an extremely verbose syntax that is great for programs to work with but not so ideal for humans (developers) to write in.

In spite of its XML-based syntax, XACML has proven reliable and comprehensive. It’s easy to implement ABAC policies with XACML with the right tooling without revealing the underlying encoding.

There became the realization that developers wanted to write policies by hand for a variety of reasons, including:

  • Visibility
  • Ease and speed of policy development
  • Integration into existing continuous integration/continuous deployment (CI/CD) pipelines

XML wasn’t going to cut it for what developers wanted to do.

This parallelled the (relative) demise of XML and the advent of JSON (JavaScript Object Notation) and later YAML (Yet Another Markup Language). JSON replaces XML for API communications and message payloads, while YAML tends to replace XML for configuration files.

Years of working with customers made Axiomatics realize there are at least two personas: those willing to use a user interface for policy authoring and those – often developers – more inclined to use the keyboard and a developer IDE (Integrated Development Environment).

This is why ALFA was born.  It was designed to be a new, more lightweight, notation of XACML.

ALFA provides a simple way to write policies in a language akin to software development languages like Java and Python. A benefit of using ALFA is that ALFA files can be added to source control such as Github, so that changes can be tracked and audited.

ALFA isn’t proprietary

Yes, ALFA was created by Axiomatics and it was originally named Axiomatics Language for Authorization.

It was then donated to OASIS as part of the XACML Technical Committee.

Now, the language can be used or read by anyone, while maintaining the underlying policy model.

ALFA particularly helps with policy authoring and also with gathering requirements – two critical elements of authorization.

This is because you can take a blank document in the Visual Studio code and write your requirements like ‘A doctor can view the medical record’.

Below the requirement you could write your ALFA policy. That is much simpler than having to gather requirements then go into another system to start writing your policy.

In 2014, the organization for the advancement of structured information standards (OASIS) adopted ALFA to advance the standardization of the language.

A great example of ALFA’s use is the work done by Rock Solid Knowledge, who uses ALFA for .NET environments.

They use ALFA with their own PDP.

The future of ALFA

As more enterprises look to integrate authorization into their security systems, we need to simplify the ALFA language to drive even more adoption.

We can also look into interoperability with other languages such as Cedar and Rego.

Some of these aspects are being tackled in the Policy Charter at OpenID Foundation, which I spoke more about on a recent episode of our podcast.

Discover the ease of ALFA

Experience how seamless ALFA can be used as part of a modern, flexible authorization strategy and request a demo with one of our solution experts.


  Join us on LinkedIn for more insights
Archived under:
About the author

As Chief Technology Officer, David has experience leading the design and development of Salesforce’s identity offering including customer identity and access management (CIAM). He is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standard-based authorization as part of an overall IAM implementation.