ALFA Datatypes

ALFA policies are made up of attributes. Attributes describe the user attempting the access, the action being attempted, and the object being accessed. Attributes are made up of an identifier, category, and datatype.

ALFA comes with a dozen datatypes and the ability to implement your own custom datatype (simple or complex).

Basic Types

Name Description Example
anyURI Represents a Uniform Resource Identifier Reference (URI).
More Info.		 https://alfa.guide
boolean Represents a true/false value. It is useful when writing policies that need a specific check e.g. isAllowed.
More Info.		 true, false, 0, and 1.
double The double datatype is patterned after the IEEE double-precision 64-bit floating point type [IEEE 754-1985].
More Info.		 3.1415
integer a whole number (a minimum of 18 digits must be supported).
More Info.		 3145
string this is the default type and the most commonly used. A string is a set of characters. Strings are case-sensitive.
More Info.		 I finally invent something that works!

Date & Time datatypes

Name Description Example
date represents a specific day in time. A "date object" is an object with year, month, and day properties.
More Info.		 2020-01-01
dateTime Represents a specific point in time. XACML uses the dateTime type from XML schema. The formal definition of the type is available at http://www.w3.org/TR/xmlschema-2/#dateTime. The following example represents 12 minutes past noon in the timezone five hours after UTC (that is, US eastern time), on the 10th of October 2002.
More Info.		 2002-10-10T12:00:12-05:00
time Represents an instant of time that recurs every day. XACML uses the time data type from XML schema. The formal definition of the type is available at http://www.w3.org/TR/xmlschema-2/#time. The following example means 13:20:00-05:00 which means 1:20 PM in the timezone 5 hours before UTC.
More Info.		 13:20:00-05:00
dayTimeDuration Represents a duration of time as a number of days, minutes and seconds. ALFA uses the dayTimeDuration type from XML schema. To indicate a duration of 3 days, 10 hours and 30 minutes, one would write: P3DT10H30M.
More Info.		 P13D, PT47H, P3DT2H, -PT35.89S, -P134D, and P4DT251M are all allowed. P-134D is not allowed (invalid location of minus sign).
yearMonthDuration This type represents a duration of time that is expressed by the Gregorian year and month components. The format is PnYmM
More Info.		 To indicate a yearMonthDuration of 1 year, 2 months, one would write: P1Y2M. One could also indicate a yearMonthDuration of minus 13 months as: -P13M.

Advanced datatypes

Name Description Example
dnsName This primitive type represents a Domain Name Service (DNS) host name, with optional port or port range. The syntax SHALL be dnsName = hostname [ ": " portrange ]
The hostname is formatted in accordance with IETF RFC 2396 "Uniform Resource Identifiers (URI) Generic Syntax", section 3.2, except that a wildcard "*" may be used in the left-most component of the hostname to indicate "any subdomain" under the domain specified to its right.
For both the ipAddress and dnsName data-types, the port or port range syntax SHALL be portrange = portnumber | "-"portnumber | portnumber"-"[portnumber] where portnumber is a decimal port number. If the port number is of the form -x, where x is a port number, then the range is all ports numbered x and below. If the port number is of the form x-, then the range is all ports numbered x and above. This syntax is taken from the Java SocketPermission.
More Info.		 example.com:8081
ipAddress This primitive type represents an IPv4 or IPv6 network address, with optional mask and optional port or port range. The syntax SHALL be:ipAddress = address [ "/" mask ] [ ":" [ portrange ] ]For an IPv4 address, the address and mask are formatted in accordance with the syntax for a "host" in IETF RFC 2396 "Uniform Resource Identifiers (URI): Generic Syntax", section 3.2.For an IPv6 address, the address and mask are formatted in accordance with the syntax for an "ipv6reference" in IETF RFC 2732 "Format for Literal IPv6 Addresses in URL's". (Note that an IPv6 address or mask, in this syntax, is enclosed in literal "[" "]" brackets.)
More Info.		 127.0.0.1
x500Name This primitive type represents an ITU-T Rec. X.520 Distinguished Name. The valid syntax for such a name is described in IETF RFC 2253 "Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished Names".
More Info.		 CN=Steve Kille,O=Isode Limited,C=GB
rfc822Name This primitive type represents an electronic mail address. The valid syntax for such a name is described in IETF RFC 2821, Section 4.1.2, Command Argument Syntax, under the term Mailbox.
More Info.		 [email protected]
hexBinary hexBinary represents arbitrary hex-encoded binary data. The ·value space· of hexBinary is the set of finite-length sequences of binary octets.
More Info.		 0CD7
base64Binary base64Binary represents Base64-encoded arbitrary binary data. The ·value space· of base64Binary is the set of finite-length sequences of binary octets. For base64Binary data the entire binary stream is encoded using the Base64 Alphabet in RFC 2045.
More Info.		 SGVsbG8gV29ybGQh
xpath This primitive type represents an XPath expression over the XML in a element. The syntax is defined by the XPath W3C recommendation. The content of this data type also includes the context in which namespaces prefixes in the expression are resolved, which distinguishes it from a plain string and the XACML attribute category of the element to which it applies. When the value is encoded in an element, the namespace context is given by the element and an XML attribute called XPathCategory gives the category of the element where the expression applies.
More Info.		 md:record/md:patient/md:patientDoB

Casting attributes to their type

In order to convert an attribute to its type, use the :type notation. For instance user.DoB=="2015-10-21":date.

This does not apply to string, boolean, integer, and double who can all be directly used e.g.

  • riskScore == 5: the risk score is equal to the integer '5'.
  • balance > 200.00: the account balance is greater than 200. Note the decimal notation to force the value into being a double rather than an integer.
  • location == "Hill Valley": the location is equal to the beautiful town of Hill Valley.
  • certified == true: the user's certified status is equal to true.

Casting in a policy

      
        namespace guide.alfa{
          attribute website{
              id = "guide.alfa.website"
              category = resourceCat
              type = anyURI
          }
          policy exampleCast{
              apply firstApplicable
              rule allowWebsite{
                  target clause website == "https://alfa.guide":anyURI
                  permit
              }
          }
        }

Converting attributes to a different type

It is sometimes necessary to convert attribute values from one type to another e.g. from integer to double or from string to date & time. As a best practice, avoid converting and manipulating values in the policies themselves and delegate the data processing to the PIPs. Notwithstanding, ALFA comes with a long list of functions that allow conversion from one type to another.