Condition Editor
The Condition Editor is used to create a condition inside a Rule. To open the Condition Editor, select the rule that you want to edit in the policy tree. This opens an edit panel where the user can enter a description for the rule, set an effect, and create an obligation or advice.
The section of the panel "Applies when" holds two buttons. Click the Add Condition button to open the Condition Editor.
The Condition Editor is displayed in the panel, and attributes, functions and data types can be arranged with the use of operators to construct predicates that can be combined into advanced expressions.
Arrows in the upper right of the edit panel can be used to expand and minimize the panel size. Maximizing the edit panel to full size provides access to more editing tools. See Functions in the Condition Editor.
There are some similarities between a condition and a target. But a condition can be much more complex and is more free form. In a condition you can compare the values of attributes and use complex nesting of attributes and functions in ways that would not be allowed in a target.
ALFA syntax
To simplify editing, the Condition Editor uses ALFA language syntax. The ALFA syntax dramatically simplifies the construction of complex statements. This expression, for instance, checks that the user's clearance level is higher than or equal to the classification of the resource:
Attributes.access_subject.userClearance >= Attributes.resource.resourceClassification
Inside a Target, all the values in a Bag are automatically tested to find a match. In a Condition, things may be a bit more complex. First of all, you may have bags on both sides of the operator and secondly, you can use a broader set of functions which you want to apply to the values. Therefore, you may have to specify how the function should be applied, if all the values on one side are to be compared with all the values on the other side, etc.
Using operators
For instance, in ALFA the '==' operator means "compare all the values to the left with all the values to the right and if at least one match is found, return True".
Functions
The notation from the above example is equivalent to the following, complete ALFA syntax for the same expression:
System.anyOf(function[System.stringEqual],Attributes.access_subject.my_projects,Attributes.resource.related_projects)
While this second ALFA syntax example is easier and more compact than regular XACML, as you can see, using operators to compare the left side and the right side is preferable. The syntax is shorter and overall easier to read.
However, only the most commonly used combinations of functions have a shorthand notation through the use of operators. Since there are more than 250 XACML functions available for you to use in the Policy Editor, you will also have to use the complete ALFA syntax for XACML functions.
Atomic attributes and bags
Attributes return bag values. Yet, some functions require atomic values. For conversion, use the appropriate one-and-only function. For instance, the following example checks that users are not approving payments exceeding their limits.
integerOneAndOnly(Attributes.access_subject.approval_request) - integerOneAndOnly(Attributes.access_subject.approval_limit) < 0
This assumes that the attributes approval_request and approval_limit contain exactly one value. If there are no values or multiple values, then the one-and-only function will return an Indeterminate result.
Functions in the Condition Editor
To call a function, use the function name followed by the arguments enclosed in parenthesis. Here is an example of a condition which uses function calls:
allOf(function\stringRegexpMatch], ".*fishing.*", Attributes.access_subject.clubMembership) && Attributes.access_subject.age > 25
If this expression renders True you know that at least one of the names of clubs to which the user belongs contains the string 'fishing'. In addition, a logical AND is used to ensure this fisher is more than 25 years old.
To select the function to use, do one of the following:
- Type the function name in the condition editor edit box if you know it
OR
Maximize the Condition Editor
Select the Functions tab to the left
Select the desired function from the listbox
browse the entire list until you find it or
filter the list by entering a search string in the Filter field
Once you have selected the function you want to use, click the Insert button to include the function in the edit box
Add parameters to the function statement
To include a comma-separated list of parameters enclosed in parentheses after the function name:
- If the parameter is used to call yet another function, type
function[<function name>]
If the parameter is an Attribute, type the attribute name or select the attribute from the Attribute tab in the maximized Condition Editor.
If the parameter is a string, type it enclosed in double quotation marks.
If the parameter is an integer value, just type the number you need.
Operator precedence
Operator precedence is fixed in the ALFA grammar. The order is the following, going from the operator which binds the weakest, ending at the operators which bind the strongest.
Operators starting with '|'. These are right associative (for an explanation of Associativity of operator, see below.
Operators starting with '&'. These are right associative.
Operators starting with '=', '<', '>' or '$'. These are left associative.
Operators starting with '@' or '^'. These are right associative.
Operators starting with '+' or '-'. These are left associative.
Operators starting with '*', '/' or '%'. These are left associative.
Parenthesis can be used to control the evaluation order of operators, for instance you can write "(2+3) * 5" to perform the addition between 2 and 3 before the multiplication with 5.
Associativity of operator
If operators have the same precedence, the order of evaluation is determined by their associativity. Operators can be left associative or right associative (or non-associative for that matter). If ¤ is a right associated operator the expression x ¤ y ¤ z is the same as x ¤ (y ¤ z).