Skip to main content

Conditions

Conditions provide a more versatile and expressive way to formulate expressions compared to targets, which are primarily limited to matching attributes against static values. Conditions enable more complex operations, including attribute against attribute comparisons, attribute manipulations, arithmetic computations, and more.

Conditions can be incorporated into rules, policies, and policy sets. While the XACML standard restricts conditions to rules, the compiler handles conditions in policies and policy sets by generating a rule that includes the condition. It then generates additional policies using specific combining algorithms. This effectively mimics the behavior of a condition directly within the policy or policy set, simplifying the modeling of certain scenarios where conditions prove more expressive than targets.

A condition is defined using the keyword condition followed by an expression that must evaluate to a Boolean value. These expressions can be constructed from a combination of operators and function calls.

The following is an example of a simple condition:

condition Attributes.userClearance >= Attributes.resourceClassification

In this case, the expression utilizes a single operator to determine if at least one value of the user clearance attribute is greater than or equal to at least one value of the resource classification attribute.

Functions in conditions

XACML provides a rich set of functions for operating on attribute values. To invoke a function, append its name, typically declared in system.alfa, followed by its arguments within parentheses. Here's an instance of a condition employing function calls:

condition
    allOf(function[stringRegexpMatch], ".*fishing.*", [Attributes.clubMembership])
    && Attributes.age > 25

This example verifies that every club membership associated with the subject contains the word "fishing" and that the subject's age exceeds 25.

The function called here is allOf, which takes another function as an argument, denoted using the function[..] syntax. The second parameter is a string, and the third parameter is a bag of strings. The allOf function applies the provided stringRegexpMatch function to the second argument and each value of the bag in the third argument, sequentially. If stringRegexpMatch returns true for each combination, then allOf returns true.