How to define 4 eyes principle in ALFA (/XACML)?

Question

I like to how a 4 eyes principle can be defined in ALFA. (Axiomatics)

For example: A bank employee wants to create a new account for a customer. He can create it, fill in all the client information and settings. But he needs to be unable to activate this account, unless his manager has approved him to do so.

So, when the bank employee presses the "activate account" button, a policy needs to enforce that his manager has to approve this first. Sounds like an obligation to me, or are there better ways to enforce this with a policy?

Can somebody give me an ALFA example how to doe this?

Answer 1

This is a great question. There are two ways you can do this. As you pointed out, you could use an obligation. Your policy would be as follows:

• a user with the role==employee can do the action==activate on a resource of type==bank account if and only the employee created the account --> PERMIT + obligation "pop up approval dialog for manager to sign the activation".

If the PEP fails to comply with the obligation then the account cannot be activated (the decision is switched to a DENY).

Doing so, though, gives the PEP a lot of work (the obligation to implement) and it creates a synchronous flow.

An alternative is to create another attribute to be used in the policy. That attribute could be managerApproved and employeeApproved. That creates an asynchronous flow but it means that you need to keep the values of managerApproved and employeeApproved in a database somewhere.

The policies would become:

• a user with the role==employee can do the action==activate on a resource of type==bank account if and only the employee created the account --> PERMIT + obligation "email the manager a link to approve the activation".
• a user with the role == employee can do the action==activate on a resource of type==bank account if and only if isManagerApproved==true
• a user with the role==manager can do the action==approve on a resource of type==bank account if and only if the creator is in the list of subordinates.