Download your copy of our State of Authorization: Playbook Edition Get it now »

What’s the difference between policy target and rule target in ALFA?

Learn how you can use ALFA to specify a Target in both a Policy and a Rule, addressing a common question using XACML.

Recently, I found a StackOverflow question that asked about the difference between policy target and rule target in XACML (eXtensible Access Control Markup Language).

That made me think about how we might address that same question for ALFA (Abbreviated Language for Authorization).

So let’s explore when to use target, policy, and rule values in ALFA.

The question:

ALFA allows us to specify a Target in both a Policy and a Rule.

What I would like to understand is:

  • The purpose of having these at both levels;
  • The individual effect of both of these methods; and
  • How and when one should use them together or separately?

The answer:

You can have a Target in PolicySet, Policy, and Rule. They all achieve the same thing i.e. restrict the scope of the element (PolicySet, Policy, or Rule).

Your question should center on why there are three elements. It’s actually a way to divide and conquer your authorization challenge.

Imagine you’re tackling authorization for an entire bank.

You might have a policy set that focuses on the retail part of the bank and another that focuses on the commercial side of the bank.

You would have an attribute in the target of the PolicySet element that would distinguish between retail and commercial.

Inside the retail bank PolicySet you could have another series of policy sets or maybe just policies where the Target would distinguish between different applications.

Inside each Policy element you could have Rule elements that would have targets that would distinguish between functions of the applications.


namespace com.axiomatics{
    policyset bank{
        apply firstApplicable
        policyset retail{
            target clause businessUnit == "retail"
            apply firstApplicable
            policy account{
                target clause object == "account"
                apply firstApplicable
                rule customerViewOwnAccount{
                    target clause actionId == "view"
                    condition user.userId == account.owner
        policyset investment{
            target clause businessUnit == "investment"
            apply firstApplicable

In this example, we have an overarching policy set called “bank”. It contains two policy sets, one for retail banking and the other for investment banking.

Note how we use the target element of each policy set to distinguish between the retail and the investment use cases.

Similarly, one level down, we have a policy called “account” which itself contains a target that narrows down the scope of the policy to account objects.

Lastly, we have a rule with a target that further whittles down the scope to the “view” action.

What’s Next?

In the next few months we’ll publish more content around ALFA.

Please reach out if you have questions about ALFA, or if there’s a specific topic you’d like to see us cover.

  Join us on LinkedIn for more insights
Archived under:
About the author

As Chief Technology Officer, David has experience leading the design and development of Salesforce’s identity offering including customer identity and access management (CIAM). He is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standard-based authorization as part of an overall IAM implementation.