An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.

1. 1
axiomatics.com
OpenID AuthZEN Prior Art
ALFA - Abbreviated Language for Authorization
David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/

2. 2
axiomatics.com
axiomatics.com
TL;DR;
There’s an OpenAPI specification for the interfaces I am about to cover.
👉GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec

3. 3
axiomatics.com
axiomatics.com
Background
• ALFA is first and foremost a policy language
• ALFA follows NIST’s ABAC special publication
o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC
• ALFA is based on XACML
o It uses a lightweight syntax similar to Java
• ALFA leverages the JSON Profile of XACML to send/receive authorization requests
o JSON Profile of XACML 3.0 Version 1.1
• The JSON Profile of XACML references the REST Profile of XACML for the actual transport
o REST Profile of XACML v3.0 Version 1.0
• The transport part (HTTP…) is entirely decoupled from the request/response format.
o They’re 2 different specs (see above)

4. 4
axiomatics.com
axiomatics.com
Use Cases
ALFA supports the same authorization use cases as XACML:
• Binary authorization request
o Can Alice view Document #1?
o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
• Batch authorization requests
o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3?
o 3x3x3 decisions are returned
o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0
• ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search
o This is something vendors have had to build themselves
o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation

5. 5
axiomatics.com
axiomatics.com
Attributes are the core elements of an authorization request
• ALFA is entirely attribute-based
o Therefore, an authorization request is (nearly exclusively) made up of attributes
• An attribute is made up of
o A category e.g. subject
o A datatype e.g. string
o An identifier (a urn) e.g. com.acme.user.name
• Attributes can be multi-valued
o citizenship can contain multiple values e.g. Swiss and Swedish
• ALFA supports
o 4 default categories: subject, action, resource, and environment
– ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal
o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/)
• ALFA is extensible
o You can add categories and datatypes if you so desire
o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers,
dates)

6. 6
axiomatics.com
axiomatics.com
Authorization Request UML Diagram
💗

7. 7
axiomatics.com
{"Request":
{
"AccessSubject":
[{"Attribute":
[
{"AttributeId":"axiomatics.demo.user.userId","Value":["Alice Anderson"]}
]
}],
"Resource":
[{"Attribute":
[
{"AttributeId":"axiomatics.demo.resourceType","Value":"record"},
{"AttributeId":"axiomatics.demo.record.recordId","Value":"123"}
]
}],
"Action":
[{"Attribute":
[
{"AttributeId":"axiomatics.demo.actionId","Value":"view"}
]
}]
}
Can Alice Anderson view record 123?
Sample Authorization Request
Each category is an array
of attributes
An attribute in its simplest
form is a key-value pair
A request is an array of
categories.

8. 8
axiomatics.com
Generic Form: Can Dave view record 125?
Sample Authorization Request
{"Request": {
"Category": [
{"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Attribute": [{"AttributeId": "user.employeeId","Value": "Dave"}]},
{"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": [{"AttributeId": "action.actionId","Value": "view"}]},
{"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute": [
{"AttributeId": "object.objectType","Value": "record"},
{"AttributeId": "record.recordId","Value": "125"}]}
]
}
}

9. 9
axiomatics.com
axiomatics.com
Authorization Response UML Diagram
💗

10. 10
axiomatics.com
axiomatics.com
Features of the Authorization Response
• The response contains an array of results (to be able to support the Multiple Decision Profile)
• Each result contains
o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
o An optional status that can be used to convey errors e.g. missing attributes or division by zero
o An optional array of obligations and advice
o An optional array of attributes and their values used in the decision making process
o An optional array of identifiers pointing to the policies used in the evaluation process

11. 11
axiomatics.com
axiomatics.com
Additional Features
• An Authorization Request can ask the PDP to return the identifiers of the policies evaluated
o ReturnPolicyIdList
– type boolean; default value is false
– This is useful to trace an evaluation or understand which policy triggered the eventual decision
o CombinedDecision
– type boolean; default value is false
– In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP
returning 2 decisions (Permit, Deny), those decisions can be combined into a single one.
• Policies can contain obligations & advice which are additional statements that may be returned alongside
a decision e.g.
o Permit + obligation to use MFA
o It’s on the PEP to comply with the obligation

12. 12
axiomatics.com
axiomatics.com
Sample Authorization Responses
{"Response": [
{
"Decision": "Permit"
}
]}
{"Response": [
{
"Decision": "Deny",
"PolicyIdentifierList": {
"PolicyIdReference": [
{"Id": "viewRecords.employeesViewRecords","Version": "1.0"}
],
"PolicySetIdReference": [
{"Id": "mainRecords.viewRecords","Version": "1.0"},
{"Id": "tutorial.main","Version": "1.0"}
]
}
}
]}
The simplest kind of
response. Note it’s an array
A sample response with
policy identifiers

13. 13
axiomatics.com
axiomatics.com
Sample Authorization Response with Obligations
{"Response": [{
"Decision": "Deny",
"AssociatedAdvice": [
{
"Id": "tutorial.denyMessage",
"AttributeAssignment": [
{
"AttributeId": "message.denyReason",
"Value": "Sorry, Dave, you can't do that because you do not have a role",
"Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
}
]
}
]
}]}
This response contains
additional statements called
obligations

14. 14
axiomatics.com
axiomatics.com
Simplifications
• Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified
• Some fields that are mandatory in XACML are optional in the JSON representation and have a default
value
o E.g. XPathVersion (not very useful in a JSON world)

15. 15
axiomatics.com
axiomatics.com
Features ALFA does not have by design
• You cannot ask the PDP to only consider a subset of
policies
o It is not up to the requester to decide what applies to
them
• You cannot send the PDP a policy to execute
o It is configured beforehand through different means (see
PAP-PDP)
• As previously mentioned, no ‘search’ or partial
evaluation
o Vendors e.g. Axiomatics have implemented their own
approach
No, you don’t get to tell
me what the law is.
You cannot ride a
wooden horse on I-401

16. 16
axiomatics.com
axiomatics.com
Things that could be simplified (and that AuthZEN should do)
• Let’s fully drop features and parameters that are really only
meaningful in XACML but not in ALFA or in modern-day XMLless
worlds
• Let’s support 2 decisions only: Permit and Deny

17. 17
axiomatics.com
axiomatics.com
Extending the JSON Profile to support Search
• Essentially, the same request structure could be used.
• One would have to add the desired decision, typically Permit
o What can Alice do?
o Give me the list of items Alice can delete
• Standardizing the request is straightforward
o Standardizing the response is harder
o Is it a filter?
o Is it the list of items?

18. 18
axiomatics.com
axiomatics.com
References
• JSON Profile of XACML 3.0 Version 1.1
• REST Profile of XACML v3.0 Version 1.0
• XACML v3.0 Multiple Decision Profile Version 1.0
• ALFA - the Abbreviated Language for Authorization
• Sample Requests - Postman Collection

19. 19
axiomatics.com
Thank you