The document discusses Axiomatics' ALFA, a policy language for Attribute-Based Access Control (ABAC) based on XACML, highlighting its use in authorization requests and responses. It details ALFA's structure, including the use of attributes and categories, as well as features such as batch requests and obligations in responses. Additionally, the document outlines limitations, potential simplifications, and the need for standardized response formats in modern applications.

1. 1
axiomatics.com
OpenID AuthZEN Prior Art
ALFA - Abbreviated Language for Authorization
David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/

2. 2
axiomatics.com
axiomatics.com
TL;DR;
There’s an OpenAPI specification for the interfaces I am about to cover.
👉GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec

3. 3
axiomatics.com
axiomatics.com
Background
• ALFA is first and foremost a policy language
• ALFA follows NIST’s ABAC special publication
o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC
• ALFA is based on XACML
o It uses a lightweight syntax similar to Java
• ALFA leverages the JSON Profile of XACML to send/receive authorization requests
o JSON Profile of XACML 3.0 Version 1.1
• The JSON Profile of XACML references the REST Profile of XACML for the actual transport
o REST Profile of XACML v3.0 Version 1.0
• The transport part (HTTP…) is entirely decoupled from the request/response format.
o They’re 2 different specs (see above)

4. 4
axiomatics.com
axiomatics.com
Use Cases
ALFA supports the same authorization use cases as XACML:
• Binary authorization request
o Can Alice view Document #1?
o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
• Batch authorization requests
o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3?
o 3x3x3 decisions are returned
o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0
• ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search
o This is something vendors have had to build themselves
o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation

5. 5
axiomatics.com
axiomatics.com
Attributes are the core elements of an authorization request
• ALFA is entirely attribute-based
o Therefore, an authorization request is (nearly exclusively) made up of attributes
• An attribute is made up of
o A category e.g. subject
o A datatype e.g. string
o An identifier (a urn) e.g. com.acme.user.name
• Attributes can be multi-valued
o citizenship can contain multiple values e.g. Swiss and Swedish
• ALFA supports
o 4 default categories: subject, action, resource, and environment
– ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal
o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/)
• ALFA is extensible
o You can add categories and datatypes if you so desire
o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers,
dates)

6. 6
axiomatics.com
axiomatics.com
Authorization Request UML Diagram
💗

7. 7
axiomatics.com
{"Request":
{
"AccessSubject":
[{"Attribute":
[
{"AttributeId":"axiomatics.demo.user.userId","Value":["Alice Anderson"]}
]
}],
"Resource":
[{"Attribute":
[
{"AttributeId":"axiomatics.demo.resourceType","Value":"record"},
{"AttributeId":"axiomatics.demo.record.recordId","Value":"123"}
]
}],
"Action":
[{"Attribute":
[
{"AttributeId":"axiomatics.demo.actionId","Value":"view"}
]
}]
}
Can Alice Anderson view record 123?
Sample Authorization Request
Each category is an array
of attributes
An attribute in its simplest
form is a key-value pair
A request is an array of
categories.

8. 8
axiomatics.com
Generic Form: Can Dave view record 125?
Sample Authorization Request
{"Request": {
"Category": [
{"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Attribute": [{"AttributeId": "user.employeeId","Value": "Dave"}]},
{"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute": [{"AttributeId": "action.actionId","Value": "view"}]},
{"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute": [
{"AttributeId": "object.objectType","Value": "record"},
{"AttributeId": "record.recordId","Value": "125"}]}
]
}
}

9. 9
axiomatics.com
axiomatics.com
Authorization Response UML Diagram
💗

10. 10
axiomatics.com
axiomatics.com
Features of the Authorization Response
• The response contains an array of results (to be able to support the Multiple Decision Profile)
• Each result contains
o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️
o An optional status that can be used to convey errors e.g. missing attributes or division by zero
o An optional array of obligations and advice
o An optional array of attributes and their values used in the decision making process
o An optional array of identifiers pointing to the policies used in the evaluation process

11. 11
axiomatics.com
axiomatics.com
Additional Features
• An Authorization Request can ask the PDP to return the identifiers of the policies evaluated
o ReturnPolicyIdList
– type boolean; default value is false
– This is useful to trace an evaluation or understand which policy triggered the eventual decision
o CombinedDecision
– type boolean; default value is false
– In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP
returning 2 decisions (Permit, Deny), those decisions can be combined into a single one.
• Policies can contain obligations & advice which are additional statements that may be returned alongside
a decision e.g.
o Permit + obligation to use MFA
o It’s on the PEP to comply with the obligation

12. 12
axiomatics.com
axiomatics.com
Sample Authorization Responses
{"Response": [
{
"Decision": "Permit"
}
]}
{"Response": [
{
"Decision": "Deny",
"PolicyIdentifierList": {
"PolicyIdReference": [
{"Id": "viewRecords.employeesViewRecords","Version": "1.0"}
],
"PolicySetIdReference": [
{"Id": "mainRecords.viewRecords","Version": "1.0"},
{"Id": "tutorial.main","Version": "1.0"}
]
}
}
]}
The simplest kind of
response. Note it’s an array
A sample response with
policy identifiers

13. 13
axiomatics.com
axiomatics.com
Sample Authorization Response with Obligations
{"Response": [{
"Decision": "Deny",
"AssociatedAdvice": [
{
"Id": "tutorial.denyMessage",
"AttributeAssignment": [
{
"AttributeId": "message.denyReason",
"Value": "Sorry, Dave, you can't do that because you do not have a role",
"Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
}
]
}
]
}]}
This response contains
additional statements called
obligations

14. 14
axiomatics.com
axiomatics.com
Simplifications
• Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified
• Some fields that are mandatory in XACML are optional in the JSON representation and have a default
value
o E.g. XPathVersion (not very useful in a JSON world)

15. 15
axiomatics.com
axiomatics.com
Features ALFA does not have by design
• You cannot ask the PDP to only consider a subset of
policies
o It is not up to the requester to decide what applies to
them
• You cannot send the PDP a policy to execute
o It is configured beforehand through different means (see
PAP-PDP)
• As previously mentioned, no ‘search’ or partial
evaluation
o Vendors e.g. Axiomatics have implemented their own
approach
No, you don’t get to tell
me what the law is.
You cannot ride a
wooden horse on I-401

16. 16
axiomatics.com
axiomatics.com
Things that could be simplified (and that AuthZEN should do)
• Let’s fully drop features and parameters that are really only
meaningful in XACML but not in ALFA or in modern-day XMLless
worlds
• Let’s support 2 decisions only: Permit and Deny

17. 17
axiomatics.com
axiomatics.com
Extending the JSON Profile to support Search
• Essentially, the same request structure could be used.
• One would have to add the desired decision, typically Permit
o What can Alice do?
o Give me the list of items Alice can delete
• Standardizing the request is straightforward
o Standardizing the response is harder
o Is it a filter?
o Is it the list of items?

18. 18
axiomatics.com
axiomatics.com
References
• JSON Profile of XACML 3.0 Version 1.1
• REST Profile of XACML v3.0 Version 1.0
• XACML v3.0 Multiple Decision Profile Version 1.0
• ALFA - the Abbreviated Language for Authorization
• Sample Requests - Postman Collection

19. 19
axiomatics.com
Thank you