Axiomatics, a leading vendor in the market of Dynamic Authorization Management systems – sometimes called either Entitlement Management or Policy servers – has recently released a new tool called the ALFA plugin for Eclipse IDE. ALFA stands for “Axiomatics Language for Authorization”.
With that tool Axiomatics allows developers authoring XACML 3.0 policies in the widely used Eclipse environment using a syntax which is close to commonly used programming languages like Java or C#.
This is a pretty nice tool which closes a gap around XACML development. Instead of having programmers creating XACML policies in XACML by hand or using the administrative tools to create the policies with drag&drop approaches, they can create policies the way they are used to – in an environment they are used to.
And ALFA is far less complex to use than native XACML. There is a nice video available which demonstrates creating a 107 line XACML file with 19 lines of ALFA code (pseudocode, to be correct). Some other interesting features are the support for Eclipse functionality such as syntax checking and auto-complete to easily create policies.
Axiomatics again, as with their Axiomatics Reverse Query (ARQ), proves that they are thought leaders around XACML. They address one of the challenges around the use of XACML and Dynamic Authorization Management in general with that tool.
You might raise the question whether the developer really should create XACML policies. The answer is: It depends. In an ideal world, these policies are defined by business in a way that completely hides the underlying policy language like XACML. But there are use cases where developers might create the policies, especially for point solutions. And many of today’s projects are developer-centric and targeted at specific use cases. So there is a clear value ALFA provides. But it needs all of the above: ALFA for developers, tools for administrators with some XACML knowledge, and simple tools for the business integrated with approval workflows and into the overall policy and access management approaches.
For developers, there is the need for having approaches like ALFA. That’s one important piece in making Dynamic Authorization Management easier to implement and use. The other piece is PEPs (Policy Enforcement Points) which allow relying on XACML policies without knowing anything about XACML. So ideally a request to a Dynamic Authorization Management system is little more than a line of code calling a method but should be fully transparent regarding the backend.
Axiomatics is making good progress in making XACML easy (i.e. transparent) to use – by improving user interfaces, by more PEPs out-of-the-box, by ALFA. That is the right approach, I think.