ALFA which stands for Abbreviated Language for Authorization, it is the language Enforcer uses to define authorization rules.
Why ALFA and not XACML
When OASIS conceived their policy model in 2003, XML was the standard interop language for describing structured data. It was, therefore, natural to describe the policy model in XML.
The intent of XML was never really to be read by humans; it's a language for machine to machine conversations. Since its inception, developers have struggled to write and maintain policies in XACML, and graphical tools have been developed to try to make it easier More importantly, developers are unable to share and verify XACML policies with business stakeholders due to the complexity of XACML.
Consider a simple door access policy that should only allow employees access to the main door between 08:00 and 18:00 daily. This policy is expressed in XACML as follows.
As you can see, it is both verbose and non-trivial to follow.
OASIS has developed and refined its authorization policy model over many years and has seen it deployed successfully to thousands of enterprises. While XML is not ideal for describing the model, the model itself is flexible and fit for purpose.
Adopting the philosophy of "don't throw the baby out with the bathwater", Pablo Giambiagi designed an alternative to XACML, ALFA, a domain-specific language for describing OASIS authorization policies. A core goal of ALFA is that it can be read by virtually anyone, while still retaining the underlying policy model. OASIS adopted ALFA in March 2014.
Here is the same door access policy, previously written in XACML, now defined in ALFA
namespace AcmeCorp
{
import Oasis.Attributes
policy buildingAccess
{
apply denyOverrides
target clause ResourceType == "door"
rule openMainDoor
{
target clause Resource == "mainDoor" and Action == "open"
permit
condition Subject.Role == "employee" and
CurrentTime > "08:00:00":time and
CurrentTime < "18:00:00":time
}
}
}
ALFA is far easier to read and, as such, fixes one of XACML’s big issues: namely allowing verification of policy by business stakeholders.