Ten years of ALFA. Wait…what?
Over the last ten years, the evolution of access control has significantly changed and clearly shows the need for streamlining as well as encouraging and adopting policy creation.
The Abbreviated Language for Authorization (ALFA) has helped fulfill some of those changes since it was created just over ten years ago.
To celebrate more than a decade with ALFA, let’s take a look back at the history of the ALFA policy language.
The birth of ALFA
The need for ALFA came from the fact eXtensible Access Control Markup Language (XACML) was created in the heyday of service-oriented architecture (SOA).
It is based on XML (Extensible Markup Language), an extremely verbose syntax that is great for programs to work with but not so ideal for humans (developers) to write in.
In spite of its XML-based syntax, XACML has proven reliable and comprehensive. It’s easy to implement ABAC policies with XACML with the right tooling without revealing the underlying encoding.
There became the realization that developers wanted to write policies by hand for a variety of reasons, including:
- Ease and speed of policy development
- Integration into existing continuous integration/continuous deployment (CI/CD) pipelines
XML wasn’t going to cut it for what developers wanted to do.
Years of working with customers made Axiomatics realize there are at least two personas: those willing to use a user interface for policy authoring and those – often developers – more inclined to use the keyboard and a developer IDE (Integrated Development Environment).
This is why ALFA was born. It was designed to be a new, more lightweight, notation of XACML.
ALFA provides a simple way to write policies in a language akin to software development languages like Java and Python. A benefit of using ALFA is that ALFA files can be added to source control such as Github, so that changes can be tracked and audited.
ALFA isn’t proprietary
Yes, ALFA was created by Axiomatics and it was originally named Axiomatics Language for Authorization.
It was then donated to OASIS as part of the XACML Technical Committee.
Now, the language can be used or read by anyone, while maintaining the underlying policy model.
ALFA particularly helps with policy authoring and also with gathering requirements – two critical elements of authorization.
This is because you can take a blank document in the Visual Studio code and write your requirements like ‘A doctor can view the medical record’.
Below the requirement you could write your ALFA policy. That is much simpler than having to gather requirements then go into another system to start writing your policy.
In 2014, the organization for the advancement of structured information standards (OASIS) adopted ALFA to advance the standardization of the language.
A great example of ALFA’s use is the work done by Rock Solid Knowledge, who uses ALFA for .NET environments.
They use ALFA with their own PDP.
The future of ALFA
As more enterprises look to integrate authorization into their security systems, we need to simplify the ALFA language to drive even more adoption.
We can also look into interoperability with other languages such as Cedar and Rego.
Some of these aspects are being tackled in the Policy Charter at OpenID Foundation, which I spoke more about on a recent episode of our podcast.