Download your copy of our State of Authorization: Playbook Edition Get it now »

Abbreviated Language for Authorization (ALFA)

Abbreviated Language for Authorization (ALFA) is a domain-specific language (DSL) designed to express authorization policies in a concise, human-readable format. It was developed under the helm of the OASIS XACML Technical Committee based on original designs by Axiomatics, a leading provider of attribute-based access control (ABAC) solutions.

ALFA aims to simplify the process of creating and maintaining authorization policies by providing a more intuitive and less verbose syntax compared to raw eXtensible Access Control Markup Language (XACML). It allows policy authors to focus on the core logic of their policies without getting bogged down in the complexities of extensible markup language (XML).

Key features

Concise syntax

ALFA uses a compact and expressive syntax, making policies easy to read, write, and understand.

Attribute-based access control (ABAC)

ALFA supports the definition of fine-grained access control policies based on attributes of users, resources, actions, and the environment.

Relationship-based access control (ReBAC)

ALFA supports direct and indirect relationships such as ownership.

Highly-structured hierarchical policy language

Unlike alternatives, ALFA is not a flat language. It provides a structure to organize authorization into branches by design. This makes both the management, authoring, and execution of the policies easier and faster.

Built-in conflict resolution and precedence

ALFA provides various combining algorithms to determine the final access decision when multiple policies or rules apply to a given request.

Obligations and advice

ALFA allows the specification of obligations (mandatory actions to be performed by the policy enforcement point) and advice (optional actions) alongside access control decisions.

Integration with XACML

ALFA policies can be seamlessly translated into XACML, ensuring compatibility with existing XACML-based systems and tools.

Proof & verifiability

Due to its syntax, the use of combining algorithms, and its structure, ALFA can be proven to be accurate when granting access. This avoids issues seen in other languages where access can be unwittingly granted. Decisions can be traced back to the specific node in the policy hierarchy that granted or denied access.

ALFA policy structure

An ALFA policy typically consists of the following main components:

Policy

A top-level element that encapsulates a set of rules and a rule-combining algorithm.

Rule

A basic building block of a policy that defines a specific access control requirement. It consists of a target, condition, and effect (permit or deny).

Target

Specifies the subjects, resources, actions, and environments to which a rule or policy applies.

Condition

An optional element that further refines the applicability of a rule based on rich boolean expressions.
Policy combining algorithm: Determines how the results of multiple policies are combined to reach a final access decision (e.g., permit-overrides, deny-overrides).

For larger policies, ALFA provides:

Policy Set

The top-level element that encapsulates a set of policies and a policy-combining algorithm.

ALFA example

Here’s a simple example of an ALFA policy that grants read access to a specific document for users based on their relationship:

namespace relationships {
    policy viewDocument{
        target clause actionId == "view" and objectType == "document"
        apply firstApplicable
        rule owner{
            permit
            condition user.name == document.owner // direct relationship
        }
        rule sameDepartment{
            permit
            condition user.department == document.department // indirect relationship
        }
    }
}

In this example, the policy applies to requests to view an object of type document. If this is the case, then the 2 rules inside the policy are considered (in order – based on the combining algorithm) for access. If the user owns the document then access is permitted and the evaluation stops. Alternatively, if the user is not the owner but is in the same department, then access is permitted and the evaluation is stopped.

Axiomatics and ALFA

ALFA provides a user-friendly and expressive language for defining attribute-based access control policies. By abstracting away the complexities of raw XACML, ALFA enables policy authors to create and maintain authorization policies more efficiently. Its integration with XACML ensures compatibility with existing systems while offering a more intuitive authoring experience.

Because ALFA is a lightweight, extremely fast language, it can be used in multiple environments and integrations. Use it to extend your OAuth Authorization Server, for instance to generate claims dynamically or even in your infrastructure layer to drive microservices authorization.

Axiomatics’ Orchestrated Authorization solution enables enterprises to create a flexible, scalable policy-driven authorization deployment that includes ALFA.

Listen to our podcast episode All things ALFA: Talking Authz Policy and AuthZEN to learn more about the history of ALFA, and how enterprise can approach it in adopting a strategy that streamlines policy management that’s highly-structured and compliance-driven.


Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo