Using Functions
Expressions in ALFA can take advantage of functions to manipulate attributes. Enforcer ships with a set of standard functions defined by Oasis and some additional ones.
In this part of the tutorial, you will replace the role check in the RestrictToEmployee to use the user's email address.
- You will first need to import the function namespaces into scope.
namespace AcmeCorp.Finanace
{
import Oasis.Functions
}
- Now modify the condition of the
RestrictAccessToEmployeerule to check the only email address of the user ends with @acme.com. To do this, you will make use of theEndsWithfunction. TheEndsWithfunction takes the end part of the string to match and an input string or a bag of input strings. For the end part match, you will use @acme.com. The input string needs to come from the attributeSubject.Email. TheEndsWithcall evaluate to true if any of the users email address end with @acme.com.
rule RestrictAccessToEmployees
{
condition not EndsWith("@acme.com", Subject.Email)
deny
}
- Using the 'Add Attributes' area on the right-hand side of the editor window, add a value for the Email attribute and set it to bob@acme.com.
- Re-run the policy and confirm that the outcome is permit. Change the Email attribute to your own email address and verify the outcome is deny (Assuming you don’t work for acme.com).