Skip to main content

Sample policy A

This section will guide you through the creation of a simple policy that controls document access for different users.

Namespace

Start by creating a namespace. All policies and policy sets must be placed within a namespace. Namespaces serve as containers to organize policies logically and prevent naming conflicts.

namespace documents{

}

Learn more about namespaces in the Namespaces section.

Policy

Now, it's time to create your policy. 

namespace documents {
    policy topLevel {
        apply denyOverrides
    }
}

Line 2 defines the policy with the name topLevel. Naming a policy is optional, but for top level policies it is useful to define them since the namespace and the policy name are used to confirm the name of the XACML XML file that is produced by the compiler. In this case, the filename will be documents.topLevel.xml.

Moreover, in line 3, the policy applies a denyOverrides combining algorithm to decide which rule gets priority in the event that both rules match. In such a case, the deny decision will receive priority. Read the Combining algorithms section for more details.

Target

Targets are conditional expressions that determine when a policy or a rule applies.

namespace documents {
    policy topLevel {
        apply denyOverrides
        target clause Attributes.resourceType == "document"
    }
}

Targets are optional in both policies and rules. Here, the target matches if the request contains a resource type attribute with the value "document". Targets are described in more detail in the Targets section.

Rules

This is the moment to define your rules. One of the rules may permit access and the other one may deny access, depending on how the rules match the request.

namespace documents {
    policy topLevel {
        target clause Attributes.resourceType == "document"
        apply denyOverrides
        rule {
            permit
            condition Attributes.userClearance >=
                      Attributes.resourceClassification
        }
        rule {
            deny
            condition Attributes.documentStatus == "draft"
                && not(Attributes.documentAuthor == Attributes.subjectId)
        }
    }
}

The two rules do not contain any target; rather, they use a condition, which is another way to define how a rule or a policy matches. A condition is not limited to a special structure, unlike a target, which is why it is used in this instance.

  • The first rule (line 5) will permit access to the target, in this case the "document", if the user's clearance is at least as high as the document's classification.
  • The second rule (line 10) will override this if the document's status is "draft" and the user attempting access is not the author of the document.
note

Operators such as == and >= can be applied to bags in the condition. If the values are not bags, then the operator is applied between the two atomic values. However, if either operand is a bag, the operator is applied through the any-of-any function. This means that the operator returns true if at least one combination of values causes the operator to evaluate to true. For example, if there are three authors of the document "Alice", "Bob" and "Carol", and the subject is "Alice", then the expression Attributes.documentAuthor == Attributes.subjectId would be true.

Some operators such as + cannot operate on bags, so these will cause a syntax error that will be highlighted in the editor. For more details on this feature, see the Operator declarations section.

Attributes

The attributes themselves are defined in a separate file. In this case, we have the following definitions:

namespace Attributes {
    import System.*

    attribute resourceType {
        id = "http://example.com/xacml/attr/resource/type"
        type = string
        category =resourceCat
    }

    attribute resourceClassification {
        id = "http://example.com/xacml/attr/resource/classification"
        type = integer
        category = resourceCat
    }
   
    attribute userClearance {
        id = "http://example.com/xacml/attr/subject/clearance"
        type = integer
        category = subjectCat
    }

    attribute documentStatus {
        id = "http://example.com/xacml/attr/resource/documentStatus"
        type = string
        category = resourceCat
    }
  
    attribute documentAuthor {
        id = "http://example.com/xacml/attr/resource/documentAuthor"
        type = string
        category = resourceCat
    }
    
    attribute subjectId {
        id = "urn:oasis:names:tc:xacml:1.0:subject:subject-id"
        type = string
        category = subjectCat
    }
}

These define how the attributes are translated into XACML attributes. For each attribute there is:

  • a short name, which is used when writing policies in ALFA
  • the full XACML attribute identifier
  • the data type of the attribute
  • the category it belongs to (subject, resource, action, environment, etc.).