Authorization rule language

Extensible Style Language (XSL) is the language that specifies rules. Extensible Markup Language (XML) is used for the data that forms an input to the rules. The combination of XML and XSL provides a platform independent way to express both the inputs to the rules evaluator and the rules themselves.

XML also supports expressing complex data types in a structured and standard manner in text format. This text format allows rules for processing the XML data to be written without having to cater to platform and programming language specifics.

XSL is a functional style sheet language that can be used to do simple tasks or complex tasks that depend on your needs. XSL possesses an inherent ability to analyze and evaluate XML data, which is becoming the standard for data representation in e-business models. XSL is built on other XML-based standards such as XPath, which is the expression language at the core of an authorization rule.

To implement rules-based authorization policy, it is necessary to impose a number of constraints on the XSL rules. Constraints include the requirements the output of the rule evaluation is simple text and the output conforms to one of a known set of result strings. See Format and constraints of rules.

It is also necessary to impose constraints on the XML input document that is built as input to the rule evaluation. The ADI XML document model enables the authorization engine to detect when ADI is missing. The ADI might need to be requested from the resource manager or an external entity through the dynamic ADI retrieval service interface.

• ADI XML document model
  The ADI XML document model (or ADI XML model) is a set of restrictions placed on the XSL/XML model by the authorization rules implementation. The ADI XML model enables the interface to be simple and yet functional for authorization purposes.
• XML access decision information
  By default, the rule evaluator automatically transforms into XML format any name-value pair attributes passed to it by the calling application. The attributes were identified as target access decision information (ADI) for the current evaluation.
• XML namespace definitions
  XML namespaces differentiate between XML items with the same name. XML namespaces also group XML data of the same type or function. The same principles can be used with ADI that is defined for use with authorization rules.

Parent topic: Authorization rules management