As of Enforcer version 4.1.0 conditions can be shared across policies. This results in a form of ALFA that is
- More readable
- More maintainable
Example
Consider the following policy for controlling access to the Main Door and the Side Door.
namespace AcmeCorp.DoorPolicy {
import Oasis.Functions.*
import Oasis.Attributes.*
policy doorAccess {
target clause ResourceType == "door" && Action == "open"
apply denyUnlessPermit
// Employees can open the door during office hours only
rule mainDoor {
target clause Resource == "mainDoor"
permit
condition Subject.Role == 'employee' &&
CurrentTime >= "08:00:00":time &&
CurrentTime < "18:00:00":time
}
rule outOfHoursDoor {
target clause Resource == "sideDoor"
permit
condition Subject.Role == 'employee'
}
}
}
Refactored to use shared conditions, the policy is now more readable, and we are not repeating the same boolean expressions.
namespace AcmeCorp.DoorPolicy {
import Oasis.Functions.*
import Oasis.Attributes.*
condition OpenDoor ResourceType == "door" && Action == "open"
condition IsEmployee Subject.Role == "employee"
condition DuringWorkingHours
CurrentTime >= "08:00:00":time and
CurrentTime < "18:00:00":time
policy doorAccess {
target clause OpenDoor
apply denyUnlessPermit
// Employees can open the door during office hours only
rule mainDoor {
target clause Resource =="mainDoor"
permit
condition IsEmployee and DuringWorkingHours
}
rule outOfHoursDoor {
target clause Resource == "sideDoor"
permit
condition IsEmployee
}
}
}