SPDL Language Brief Introduction

SPDL stands for Security Policy Definition Language, or Speedle Policy Definition Language (as a recursive acronym). It is the core component of Speedle open source project.

SPDL supports two types of policies, authorization policy and role mapping policy (sometimes we call it role policy). Authorization Policy is used to grant certain permissions (i.e. resource + action) to a subject/subjects, while role mapping policy is used to assign a role to a subject/subjects. for example, an authorization policy may say “all registered users can borrow book”, in SPDL the policy can be defined like this “grant role RegisteredUser borrow book”. a role mapping policy may say “user William is a registered user”, in SPDL the policy can be defined like this “grant user William role RegisteredUser”. Please note that I treat registered user a role in the policy model.

Role hierarchy is supported by SPDL. Users can assign a role to another role. for example, in a company there could be employee role and manager role. Users granted with manager role have employee role automatically. i.e. a manager is an employee too. In this case we can create a role mapping policy like this “grant role Manager role Employee”.

Condition is another very useful feature. It defines when the grant (or deny) happens. For example, in the library system mentioned above, a certain type of users can only borrow book at the weekend. Then we can create a new role for this type of users, say WeekendUser. Translate the rules into SPDL: grant role WeekendUser borrow book if request_weekday in (‘Saturday’, ‘Sunday’). In this authorization policy, we use built-in attribute request_weekday. During policy evaluation, the policy engine will check whether the condition request_weekday in (‘Saturday’, ‘Sunday’) is satisfied. If it does, the grant takes effect, otherwise it doesn’t take effect. The condition part can be an arbitrary expression. It means you can create a complex expression like if (A==B) and (C>D) or ((E <=F) and functionC(…)).

Sometimes it’s useful to use condition in role mapping policy. For example, Tony is a part time employee of 7–11. He works from 10 pm to 8 am. In SPDL, we can say “grant user Tony role PartTimeEmployee if request_hour > 22 or request_hour < 8”.

For these who don’t like RBAC, of course, you can grant a permission (resource + action) to a user/group directly. for example, grant user William borrow book. You can add condition to the policy (for ABAC model), say grant user William borrow book if request_weekend in (‘Saturday’, ‘Sunday’).

Deny effect is useful for certain cases. Sometimes we want to explicitly forbid someone to do something. Then use Deny effect. For example, deny user William borrow book if request_weekend in (‘Saturday’). With such a policy exists in policy store, even if William is allowed to borrow book in other policies, the policy engine will return DENY result when William tries to borrow book on Saturday.

Above is what I want to share today. There are quite a few advanced features in SPDL. Please check the documentation at https://speedle.io/docs. Feel free to raise your questions at our slack workspace.