Active Control Policy Language (ACPL)

Active Control Policy Language (ACPL)

NextLabs’ Active Control Policy Language (ACPL) is a fourth-generation policy language (4GL) based on the XACML standard for access control. It’s the underlying language of NextLabs Control Center, the platform that allows users to express and manage information control policies.

What is 4GL and why do you need it?

4GL is a non-procedural language that utilizes a natural language syntax similar to English. It eliminates much of the complexities associated with other authoring policies such as 3GL, which requires a considerable amount of programming knowledge. For instance, policies are initially formulated by business users then they have to be implemented into a policy management system with the help of a programmer. Thus, there is a lot of back and forth between the business users and programmers to make the policies a reality.

On the other hand, policies written in 4GL are simple to learn, understand, write, and maintain. That means business users can create and maintain policies on their own without needing a technical expert.

How are ACPL and XACML related?

XACML (eXtensible Access Control Markup Language) is an OASIS standard that describes both a policy language and an access control decision request/response language (both written in XML). XACML defines a declarative, fine-grained, attribute-based access control policy language, an architecture, and a processing model for evaluating access requests according to the rules defined in policies.

ACPL follows the XACML standard, making ACPL easy to understand if you’re familiar with XACML. Additionally, ACPL’s natural-language syntax simplifies the way ABAC policies are authored and managed. As a result, the unique combination of XACML and 4GL positions ACPL to be the industry standard going forward.

What does ACPL look like?

ACPL is based on a natural language syntax (4GL), combining several predefined “parts of speech” into statements that follow grammatical rules to create meaningful expressions of policy concepts.

ACPL provides two distinct sub-languages, a Policy Rule Language (PRL) to write rules and a Policy Definition Language (PDL) to define components:

  1. A Rule (Policy) defines access control over a specific class of resources, given a specific class of actions, by a specific class of subjects.
    Rules are based on the XACML standard and written by business users to capture business requirements.
  2. A Component is a named definition that represents a category or class of entities, such as users, data resources, or applications; or of actions, such as Open or Copy.Components are reusable business terms and conditions used to define the basic elements of a policy:
  • Subject: Entities requesting access to a resource (e.g., “US persons”)
  • Resource: Data, service, or system component (e.g., “all .docx files” or “ITAR Files”)
  • Action: Defines how the subject wants to access the requested resource (e.g., “Edit”)
  • Obligation: Specifies some result, such as event logging or distribution of an email notification, that will be triggered whenever the policy is enforced

Why should you care about ACPL?

There are two main reasons to use ACPL:

  • Business Friendly: ACPL functions as a common access control policy language for both business and IT users. For more information, see Active Control Policy Language Made for Business Users.
  • Simplicity: ACPL is much simpler for a businessperson to use without any technical knowledge. It takes very little time to learn, understand, and write ACPL policies.
  • Reusability: ACPL is a component-based policy language, which means that you need only create subject, action, and resource components once to use them in all of your policies. These reusable components are also easy to understand and create.

How do you use it?

ACPL is exposed through the platform’s Policy Studio UI and is the language that makes everything possible in NextLabs’ Dynamic Authorization platform (CloudAz). Policy Studio allows organizations to create, manage, and configure policies that govern access control and data security across the enterprise.  Policy Validator is used to test and validate the policies that have been created in Policy Studio to ensure they are working as intended before they are deployed.