Sample policy B
The following is a sample policy that uses some additional features of ALFA such as policy sets, conditions, and advice.
Let's start by defining an advice that will be used in the example.
namespace ObligationAdvice {
advice reasonForDeny = "http://example.com/advice/reasonForDeny"
}
Let's proceed by defining some additional attributes concerning medical records and printers so we can write a set of policies for a hospital.
namespace hospital {
policyset topLevel {
apply permitOverrides
medicalPolicy
printerPolicy
}
policy medicalPolicy {
target clause Attributes.resourceType == "medical-record"
apply denyOverrides
rule {
permit
target clause Attributes.role == "doctor"
}
rule {
deny
condition not(booleanOneAndOnly(Attributes.careRelationExists))
on deny {
advice ObligationAdvice.reasonForDeny {
Attributes.message = "There is no care relation"
}
}
}
rule {
deny
condition booleanOneAndOnly(Attributes.recordIsBlocked)
on deny {
advice ObligationAdvice.reasonForDeny {
Attributes.message = "The record is blocked"
}
}
}
}
policy printerPolicy {
target clause Attributes.resourceType == "printer"
apply permitOverrides
rule {
permit
target
clause Attributes.role == "doctor"
or Attributes.role == "nurse"
or Attributes.role == "receptionist"
clause Attributes.userTraining == "printer-use"
}
}
}
Policy set
At the top we have defined a policy set. A policy set contains either policies or another policy set, allowing for arbitrarily deep nesting. The contained policies or policy sets can either be in-lined within the policy set or, as in the example, referenced by their name.
In this example, the two referenced policies become their own separate XACML XML files when the ALFA source is compiled to XACML.
The apply permitOverrides statement indicates that a permit decision should have priority over a deny decision
Policies
Looking at the two policies in the example, we see they both concern hospital procedures. More specifically:
medicalPolicy
The medicalPolicy policy controls access to medical records and defines three rules:
- Permit for doctors: This rule grants permission to access medical records to users with the
doctorrole. - Deny for missing care relation: This rule denies access to medical records if there is no matching
careRelationExistsattribute meaning if the doctor does not have a caregiving relationship to the patient. An obligation advice is attached to this rule that provides a reason for the denial, which is stored in themessageattribute. - Deny for blocked records: This rule denies access to medical records if the
recordIsBlockedattribute is true meaning that access to the record has been suspended for some reason. An obligation advice is attached to this rule that provides a reason for the denial, which is also stored in themessageattribute.
To summarize, access to medical records is permitted for doctors but is blocked if the doctor does not have a care relation to the patient or if access to the record has been suspended.
printerPolicy
The printerPolicy policy controls access to printers. It defines one rule:
- Permit for qualified users: This rule grants permission to use printers to users with the
doctor,nurse, orreceptionistroles and who have completed theprinter-usetraining.
Conditions
The conditions show an example of how to convert a bag into an atomic value. All attributes are bags that may contain any number of values. However, in many cases exactly one value per attribute is expected in the request and the policy wants to operate on this single value. The booleanOneAndOnly function converts a bag of Boolean values into an atomic value, and checks that there is exactly one value in the bag. If there is not exactly one value, then the function returns an Indeterminate result.
Advice
An advice is an extra item in the result which can be used to convey extra information to the PEP. The PEP may ignore the advice, however. There is a similar feature called an obligation which may not be ignored by the PEP. There is no obligation in this example though.
In this example, advice provides a reason for access denial, helping a doctor understand how to gain access if needed. For instance, they might have forgotten to register the patient as being treated by them.