-
Notifications
You must be signed in to change notification settings - Fork 1
/
banking.alfa
118 lines (94 loc) · 2.84 KB
/
banking.alfa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
namespace axiomatics.demo{
import System
/*Access to TRANSACTIONS (ADAF) */
policyset transactions{
target clause table_name == "TRANSACTIONS"
apply denyOverrides
/*Policy for viewing transactions */
policy select{
target clause action_id == "SELECT"
apply denyOverrides
/*Deny if the transaction is approved */
rule denyApproved{
target clause transaction.status == "approved"
deny
on deny{
advice decision_reason {
reason = "Deny if the transaction is approved"
}
}
}
/*Deny access to the amount field if the user is not the owner */
rule denyAmount{
target clause column_name == "AMOUNT"
condition not(stringOneAndOnly(transaction.owner) == stringOneAndOnly(user.userId))
deny
on deny{
advice decision_reason {
reason = "Deny access to the amount field if the user is not the owner"
}
}
}
/*Mask the credit card number */
rule maskCC{
target clause column_name == "CREDITCARD"
deny
on deny{
advice decision_reason {
reason = "Mask the credit card number"
}
}
}
/*Managers can view all transactions */
rule Managers{
target clause user.role == "manager"
permit
on permit{
advice decision_reason {
reason = "Managers can view all transactions"
}
}
}
/*Tellers can access transactions in their own region */
rule Tellers{
target clause user.role == "teller"
condition stringOneAndOnly(transaction.region) == stringOneAndOnly(user.region)
permit
on permit{
advice decision_reason {
reason = "Tellers can access transactions in their own region"
}
}
}
/*Users can view their own transactions */
rule users{
condition stringOneAndOnly(transaction.owner) == stringOneAndOnly(user.userId)
permit
on permit{
advice decision_reason {
reason = "Users can view their own transactions"
}
}
}
}
/* Policy for approving transactions */
policy approve{
target clause action_id == "approve"
apply firstApplicable
/*Tellers can approve transactions in their own region for transactions they do not own and
* where the Tellers approval limit is greater than or equal to the amount of the transaction */
rule approveTransaction{
target clause user.role == "teller"
condition stringOneAndOnly(transaction.region) == stringOneAndOnly(user.region) &&
not(user.userId==transaction.owner) &&
user.approvalLimit >= transaction.amount
permit
on permit{
advice decision_reason {
reason = "Tellers can approve transactions in their own region for transactions they do not own and where the Tellers approval limit is greater than or equal to the amount of the transaction"
}
}
}
}
}
}