Namespaces
ALFA employs namespaces to establish a well-structured framework when authoring access control policies. Namespaces serve as containers for grouping related policies, policy sets, and rules, improving organization within complex policy structures resulting in better maintainability and readability.
Nested namespaces
Namespaces can reside in separate files or be nested within each other, allowing for even greater flexibility. This capability allows the creation of hierarchical structures, enabling the reuse of declarations across multiple levels of policy hierarchy. For instance, a common pattern involves defining generic attributes and policies within a root namespace and then extending and customizing them within nested namespaces.
Accessing elements with dot-notation
ALFA utilizes dot-notation, commonly employed in programming languages like Java and C#, to access elements within namespaces. This simplifies the referencing of namespaces and their associated elements, enhancing code readability and comprehension.
To ensure proper scoping and identification of elements within the policy structure, ALFA mandates that all policies, policy sets, and other declarations must be enclosed within a namespace. Consequently, elements remain confined to their designated namespaces and are not accessed from outside their defined scope by accident.
For example, the following code snippet defines policy p within namespace B, which in turn resides within namespace A.
Comments are marked using // and /*..*/ as is customary.
namespace A {
// (2)
namespace B {
// (1)
policy p {...}
}
}
/* (3) */
To refer to policy P from code point (1), you need to use its name p from code point (2). As a result, you would use the qualified name B.p and A.B.p from code point (3).
Seamless reuse with Import
To avoid the repetitive referencing of lengthy namespace chains, you can reuse namespaces by importing names from one namespace into another. For example:
namespace A {
namespace B {
policy p {...}
}
import B.p
/* (4) */
}
namespace C {
import A.B.*
/* (5) */
}
At points (4) and (5), you can refer to policy p, simply as p.
Default identifiers and URIs
ALFA makes use of namespaces to construct default identifiers for policies, policy sets, and rules. In XACML, each policy element is uniquely identified by a URI. When the default mapping from qualified names to URIs needs to be overridden, ALFA allows associating a URI constant with a name. Consider the following examples of defining policies with explicitly assigned URIs:
policy p = "urn:example:policy:p" {...}
policyset q = "urn:example:policy-set:q" {...}
By explicitly assigning URIs to policies and policy sets, ALFA provides greater control over their identification and allows for consistent referencing across different systems and applications.