The Simplified Policy Language

The simplified policy language allows for authoring authorization policies without the need to know anything about XACML.

A policy is a permit or deny rule permitting or denying a subject to perform an action on a resource. The subject is described by a set of attributes which can be, for example, FQANs, DNs, CAs, etc. The syntax of the simplified policy language is:

resource <value> {
    action <value> {
        rule <permit|deny> {

Curly brackets are always required and there are no other characters used to structure the definition of policies (e.g. spaces or tabs can be both used for indentation, new lines are not required therefore a one-line definition is correct, etc.).

A rule is applied when it matches the request, therefore when the resource and action values (they are regular expressions) and the rule attributes (with the given values) are found in the request. List of attributes inside a rule are ANDed, list of attributes of different rules are ORed.

Only one rule is applied at a time, that is the first matching rule. That means that order matters.

That's all, check the Examples section to learn from some practical examples.

Supported Attributes

List of supported attribute identifiers:
  • subject a Distinguished Name, the format is described in RFC2253 (example: subject="CN=Mario Rossi,L=TEST,OU=Personal Certificate,O=TEST,C=IT")
  • fqan (example: fqan=/vo_test/analysis)
  • pfqan (example: fqan=/vo_test/Role=administrator)
  • ca


Ban policies

Typically a ban policy is needed in order to deny a subject who may have permit policies somewhere. Therefore a ban policies should be placed at the top and defined for any action on all the resources.

resource ".*" {
    action ".*" {
        rule deny { subject = "CN=Alberto Forti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT" }
        rule deny { fqan = /dteam/test }
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r9 - 2009-09-21 - unknown
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback