
Use of math in ALFA

How to get a rule like that working:

rule adminCanViewAllExams {
        condition (integerOneAndOnly( & 0x00000040)  == 0  

Syntax highlighter complains it doesn't know those items:


(adding OP's comment inside the question)

I want to keep as much as possible in my current application. Meaning, I don't want to change a lot in my database model. I just want to implement the PEP and PDP part new. So, currently the rights of the user are stored in a Long. Each bit in the number represents a right. To get the right we do a binary &-operation which masks the other bits in the Long. We might redesign this part, but it's still good to know how far the support for mathematic operations goes


  • XACML does not support bitwise logic. It can do boolean logic (AND and OR) but that's about it.

    To achieve what you are looking for, you could use a Policy Information Point which would take in and 0x00000040. It would return an attribute called allowed.

    Alternatively, you can extend XACML (and ALFA) to add missing datatypes and functions. But I would recommend going for human-readable policies.