Stack Overflow
Stack Overflow

Questions tagged [alfa]

ALFA, the Axiomatics Language For Authorization, is a domain-specific language used to write fine-grained authorization policies which are then converted into XACML 3.0.

ALFA, the Axiomatics Language For Authorization, is a domain-specific language used to simplify the authoring and development of access control policies. The ALFA language maps directly into the language.

ALFA and help developers and architects implement fine-grained, attribute-based access control () which is an evolution / extension of the role-based access control model (). ALFA and XACML can also be used to author RBAC policies.

Sample ALFA policies include:

  • A user with the role=editor can do the action=edit on a resource of type=document
  • A user with the role=publisher can do the action=approve on a resource of type=document
  • A user cannot do the action=approve if the author=the user

Role, action, resource type, author, user are all examples of attributes.

XACML policies can then be processed by a policy decision point (PDP).

82 questions
13
votes
2 answers

using open policy agent (OPA) as an ABAC system

I have a project that requires ABAC for access control for my projects resources. I've been looking at OPA and authzforce as options to implement ABAC and OPA looks like it might be less complicated than authzforce. I see that OPA compares itself to…
zero
  • 2,999
  • 9
  • 42
  • 67
8
votes
1 answer

With ABAC/XACML how do you protect resources in reports/large result sets?

How have folks used an abac approach when running reports or even just selecting multiple records from a DB? For instance, if you have a policy that states: Doctors can only view patients in their hospital Obviously the efficient way to implement…
jbd
  • 413
  • 5
  • 14
4
votes
1 answer

Difference between target and condition in XACML

I would like to fixe the differences between target and condition in XACML language and when should I use target or condition.
A.Gh
  • 109
  • 1
  • 1
  • 6
4
votes
1 answer

Is there anyway to use ALFA to generate XACML without using the Eclipse plug-in?

Is there any way to use ALFA to generate XACML without using the ALFA Eclipse plugin? I would like to create a policy creator and programmatically creating ALFA and converting it to XACML would be preferable to attempting to generate XACML, right?
Aymon Fournier
  • 4,323
  • 12
  • 42
  • 59
3
votes
2 answers

Axiomatics - condition editor

I have a subject like "accessTo" = ["123", "123-edit"] and a resource like "interestedId" = "123" Now I'm trying to write a condition - where it checks "interestedId" concatenated with "-edit" equals "123-edit" in "AccessTo". Im trying to write rule…
user2608601
  • 147
  • 1
  • 10
3
votes
1 answer

Complex Authorization using XACML

My company is looking to implement a centralized security service, and it seems like a popular standard for that is XACML. I have a complex authorization scenario and I've been having trouble figuring out how it could be defined using attributes for…
Shawn
  • 133
  • 2
  • 10
3
votes
0 answers

ALFA to XACML plugin

The Alfa language submitted to OASIS by Axiomatics looks quite nice. However I wonder whether there is any free compiler from Alfa to XACML. The license file which comes with the Axiomatics Eclipse plugin states it is for non-commercial /…
John
  • 31
  • 1
2
votes
1 answer

Is there a way to define variables externally from XACML policy and refer them from inside the policy rules

I am using XACML with multiple policy sets and policies. These policies are sharing the same variables and I want to be able to define them in some kind "global" dictionary. While it seems rather basic requirement, I couldn't find any documentation,…
Leonid Shepetovsky
  • 23
  • 4
2
votes
1 answer

Why combining algorithms in access control?

I'm trying to decide what authorization technology/methodology to do for a project and XACML has a lot of interesting features. One thing I can't wrap my head around though is the need for combining algorithms. Are there complex scenarios where they…
Homde
  • 4,246
  • 4
  • 34
  • 50
2
votes
3 answers

What can I use as a XACML PDP?

I have an API REST made in node js, and now I'd like to implement some XACML policy. I have been searching and I found that I can use ALFA to make the XACML rules. But I need a PDP for applying the rules. What can I use / how can I implement it? I…
Manu Ruiz Ruiz
  • 373
  • 1
  • 2
  • 11
2
votes
1 answer

Xacml policy test occurence of string in string bag

I'm trying to come up with a rule that says the string must begin with ABC but not be ABC123, ABC456, ABC789. I'm trying write this to evaluate against a string bag, any pointers much appreciated.
Gooberq Gob
  • 21
  • 3
2
votes
1 answer

How do I get permit with XACML policy?

I have two policies, first one should return permit, and the second should return deny, but it always returns deny to the requests. This is the PolicySet:
AhmadSYousef
  • 67
  • 5
2
votes
1 answer

XACML combining PIPs in policy

I'm new to XACML architecture and would appreciate if you can help me with next question. Is it possible to use multiple PIP in a way that answer extracted from one PIP is used as input parameter for other PIP? If so can you provide me with simple…
Mark
  • 61
  • 3
2
votes
1 answer

1:n relationships and complex attribute types in ALFA

I'm trying to enter our database model into ALFA in order to check the capabilities of ALFA and XACML. Are attributes like the following possible? How would look the rules then? 1:n by list of strings namespace com.mycompany { namespace resources…
OneWorld
  • 17,512
  • 21
  • 86
  • 136
2
votes
1 answer

Switch from custom ABAC to XACML

I'm going to secure my Spring Cloud Application with OAuth2 and XACML (using AuthZForce). I've implemented a simple ABAC solution, that can handle the following use-case, but I want to switch to XACML. Is it possible? old domain I have (in…
benkuly
  • 1,144
  • 10
  • 28
1
2 3 4 5 6