Constant Expressions
Enforcer 6.0 introduces general purpose constant expressions, which can be referenced and reused throughout authorization policies.
Extracting decision logic can enhance readability throughout your authorization policies.
Examples
Define constant values to use throughout policies.
let BronzeMembership:integer = 1
let SilverMembership:integer = BronzeMembership + 1
let GoldMembership:integer = SilverMembership + 1
Use expressions in target clauses and conditions.
namespace AcmeCorp {
import Oasis.Attributes.*
let OfficeOpeningTime:time = "08:00:00":time
let OfficeClosingTime:time = "18:00:00":time
let InWorkingHours:boolean = CurrentTime >= OfficeOpeningTime and
CurrentTime <= OfficeClosingTime
condition IsEmployee Subject.Role == "employee"
policy officeDoorPolicy {
target clause Resource == "mainDoor"
condition InWorkingHours and IsEmployee
permit
}
}
Create formatted messages for obligations or advice.
let LogMessage:string = Single(Subject.Name) + " opened door " + Single(Resource)
policy doorPolicy {
// rules omitted...
on permit {
obligation AuditDoorAccess {
Message = LogMesage
}
}
}
Create re-usable filters for Structured Attributes.
namespace AcmeCorp {
type doorPermission {
Action:string
Name:string
}
attribute doorAccessPermissions { type=doorPermission category=subjectCat }
let PermissionsForThisDoor:bag[doorPermission] = doorAccessPermissions[Name == Oasis.Attributes.Resource]
condition CanUseThisDoor PermissionsForThisDoor.Action == Oasis.Attributes.Action
}
Syntax
All constant expressions begin with the let keyword, followed by the name of the expression and the type, and finally an expression that returns a value. The = symbol between the type declaration and the value is optional.
let Identifier:type = Expression
let Identifier:type Expression
Constant expressions must declare the type of value they return, which can be any primitive type or structured type.
The syntax for declaring bags of values is bag[type-name]. The 'bagginess' of the type declaration must match the value returned, there is no implicit conversion between bags and single values.