{"id":28112740,"url":"https://github.com/intuit/identity-authz-apl","last_synced_at":"2025-07-23T23:04:47.535Z","repository":{"id":43796911,"uuid":"392045046","full_name":"intuit/identity-authz-apl","owner":"intuit","description":"Attribute-based access control (ABAC), also known as policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which reason over data in attributes. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). Read more here - https://en.wikipedia.org/wiki/Attribute-based_access_control  ABAC Policy Language is used by ABAC to author policies. A policy consists of rules, which have \"when\" conditions and \"then\" actions. Policies are executed in a bounded time, goaled to reach a decision as quickly as possible in deterministic, fast and reliable way. Further light-weight execution consumes minimal resources.","archived":false,"fork":false,"pushed_at":"2025-04-23T06:46:06.000Z","size":2663,"stargazers_count":32,"open_issues_count":17,"forks_count":9,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-07-23T07:31:11.246Z","etag":null,"topics":["authorization","authz"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/intuit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-08-02T17:55:23.000Z","updated_at":"2025-07-21T07:13:12.000Z","dependencies_parsed_at":"2025-05-14T05:05:05.546Z","dependency_job_id":"0e03ff7d-d93f-4363-ad54-2c78cb5ea575","html_url":"https://github.com/intuit/identity-authz-apl","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/intuit/identity-authz-apl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intuit%2Fidentity-authz-apl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intuit%2Fidentity-authz-apl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intuit%2Fidentity-authz-apl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intuit%2Fidentity-authz-apl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/intuit","download_url":"https://codeload.github.com/intuit/identity-authz-apl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intuit%2Fidentity-authz-apl/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266764728,"owners_count":23980612,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","authz"],"created_at":"2025-05-14T05:01:20.716Z","updated_at":"2025-07-23T23:04:47.483Z","avatar_url":"https://github.com/intuit.png","language":"Java","funding_links":[],"categories":["安全"],"sub_categories":[],"readme":"# ABAC Policy Language\n[![Build Status](https://github.com/intuit/identity-authz-apl/actions/workflows/maven.yml/badge.svg)](https://github.com/intuit/identity-authz-apl/actions/workflows/maven.yml)\n[![Coverage](.github/badges/jacoco.svg)](https://github.com/intuit/identity-authz-apl/actions/workflows/maven.yml)\n[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.intuit.apl/apl-core/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.intuit.apl/apl-core)\n\n\u003c!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section --\u003e\n[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors-)\n\u003c!-- ALL-CONTRIBUTORS-BADGE:END --\u003e\n\n\n\n   **_Secure, fast and reliable policies are protecting your resources_**\n   \n   \u003cimg src=\"apl-logo.png\"\u003e\n\n\nHere is a [medium article](https://medium.com/@bala.dutt/abac-policy-language-3d4267d5c653) to get you started in 3mins. This example is also part of unit tests - com.intuit.apl.DoctorPatientTest.\n\nAttribute-based access control (ABAC), also known as policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). Read more here - https://en.wikipedia.org/wiki/Attribute-based_access_control\n\nABAC Policy Language is used by ABAC to author policies. A policy consists of rules, which have \"when\" conditions and \"then\" actions. Policies are executed in a bounded time, goaled to reach a decision as quickly as possible in deterministic, fast and reliable way. Further light-weight execution consumes minimal resources.\n\n# Hello World\n\nCan a user (Subject) access a report in a given flavour of product?\n\nLet us use ABAC to decide that.\n\nA simple rule allowing admin, standard user or bookkeeper to access the report in a particular flavour of product could be written like this,\n\n```\nrule: CustomDetailedReportQBOPlus #comment ...\ndescription: Allow CustomDetailedReport for QBO Plus\nsalience: 1\nwhen:\n  - containsAnyIgnoreCase({\"admin\", \"user\", \"bookkeeper\"}, sub[\"role\"])\n  - env[\"product\"] == \"QBO\"\n  - env[\"sku\"] == \"PLUS\"\n  - res[\"id\"] == \"CustomDetailedReport\"\nthen:\n  - decision=permit\n```\n\nThis rule has multiple parts. It has a name and description. Salience lets it run at priority. Two conditions in \"when\" check whether suk of the product is PLUS and if resource id is \"CustomDetailedReport\", i.e. the resource on which access is requested.\n\nWhen both the conditions are true, rule is said to fire. On firing of rule, action statements in rule are executed. Here action is to set a deny decision. Once a decision is reached APL engine aborts further rule evaluation.\n\n\nThis project demonstrates how the clients can use standalone policy engine.\n\n# How to use\n\nInclude maven dependency for apl,\n\n```\n    \u003cdependency\u003e\n      \u003cgroupId\u003ecom.intuit.apl\u003c/groupId\u003e\n      \u003cartifactId\u003eapl-core\u003c/artifactId\u003e\n      \u003cversion\u003e0.23\u003c/version\u003e\n    \u003c/dependency\u003e\n```\n\nThe latest release is 0.23.\n\n# How to run sample helloworld\n\n```\ncd samples/helloworld\n```\nBuild it\n```\nmvn clean install\n```\nRun it\n```\nmvn exec:java -Dexec.mainClass=com.sample.apl.HelloWorld\n```\n\n# Features\n\n* Domain Specific Language for policies for ABAC. Conditions are based on attributes, actions can provide decisions and obligations only. No arbitrary logic allowed like network calls, DB access, complex computation.\n* Policies take micro-seconds to give answers and consume less than a kb of heap.\n* Support for functions, attributes\n* Optimized execution, evaluates repeating conditions only once per execution. RETE based algorithm. Stops when a decision is reached.\n* Supports salience in rules. This allows higher priority rules to first get a chance to fire.\n* Ability to explain an execution. You wrote a policy, want to know how a certain decision was made, how a rule got fired, explain can give insights into execution and good troubleshooting information on rules. \n* Quota for policies. Lengthy and slow policies can hog resources. Quota based system ensures that this is not allowed and execution is bounded.\n* Support modularity. Define policies in packages and import them.\n* Supports multiple policy files for a single resource decision making. Easy to combine policies as they are rule based. ABAC allows resource hierarchies where policies for parent resource are also included in decision making.\n* Rules that always evaluate to true or false are detected and highlighted.\n* Inconsistent rules are detected and highlighted.\n* Variables can be used in conditions after values are assigned. Variables are accessed by using $ before a variable. \n* 3 kinds of rules - deny, permit and default rules. Deny rules should have salience higher than permit, which should be higher than default. Also, only one default rule expected. Engine warns on violations.\n\n||Drools|APL|\n|----|---------|------|\n|Type|General purpose, feature rich|Domain specific for ABAC|\n|Execution time|~1ms|~20 μs|\n|Heap per execution|130 KB|\u003c1KB|\n|Jar size|\u003e5MB|45KB (+280KB SPEL, +250KB YAML)|\n\n\n## Upcoming features\n\n* Compile the policies for even faster execution.\n\n\n# Details\n\n[Sample rule file](samples/helloworld/src/main/resources/com/intuit/authorization/my-product-rules.apl)\n\n[Another sample rule file](samples/helloworld/src/main/resources/com/intuit/authorization/common/user.apl)\n\n[Source code for main Java class](samples/helloworld/src/main/java/com/sample/apl/HelloWorld.java)\n\n## Explain\n    APL engine can be asked to explain a policy execution. This explanation provides insights into the policy. Below is a sample explaination.\n    \n------------------\nAPL Explain :\n------------------\n\n    Inputs:\n\n         Subject:                role -\u003e admin,        \n         Resource:               id -\u003e CustomDetailedReport,        \n         Action:                 name -\u003e execute,       \n         Environment:            product -\u003e QBO, sku -\u003e BASIC,       \n\n\n    Variables:\n       \n        Number of varaibles: 16\n        \n        product\n        role\n        bookkeeper\n        CustomDetailedReport\n        admin\n        BASIC\n        ADVANCED\n        2019-05-15\n        2019-05-17\n        resOwnerId\n        yyyy-MM-dd\n        id\n        sku\n        user\n        QBO\n        PLUS\n\n    Stats:\n\n         Rules:                 4\n         Rules Fired:           1\n         Conditions:            15\n         UniqueConditions:      10\n         Actions:               6\n         ExecutedActions:       2\n         HalfBakedRules:        1\n         Parsing(µs):           12924\n         Execution(µs):         133\n         ConditionExecution(µs):109\n         RuleExecution(µs):     23\n\n\n    Execution:\n\n        \n|EXECUTION STEP|CONDITION|OUTPUT|\n|----|---------|------|\n|0|containsAnyIgnoreCase({\"admin\", \"user\", \"bookkeeper\"}, sub[\"role\"])|T|\n|1|env[\"product\"] == \"QBO\" |T|\n|3|res[\"id\"] == \"CustomDetailedReport\"|T|\n|5|env[\"sku\"] == \"BASIC\"|T|\n|2|env[\"sku\"] == \"PLUS\"|F|\n|4|sub[\"id\"] != null|F|\n\n\n        Rules fired:\n\n                                 Name : Deny CustomDetailedReport for QBO Basic\n                                 Description : rule description\n\n        Decision:                DENY\n\n\n\tRules having always false conditions:\n\n                                 Half baked rule\n\n\n\n        Rules having always true conditions :\n\n\n\n        Rete Execute Process:\n\n# Contributing\nFor information on how to contribute to APL, please read through the [contributing guidelines](CONTRIBUTING.md).\n\n# License\nFor information on license, please read through the [license](LICENSE).\n\n\n\n# Contributors ✨\n\n\u003c!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section --\u003e\n[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors)\n\u003c!-- ALL-CONTRIBUTORS-BADGE:END --\u003e \n\nThanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\"\u003e\u003ca href=\"https://github.com/ravichauhan03\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/5583335?v=4?s=100\" width=\"100px;\" alt=\"\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eravichauhan03\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/intuit/identity-authz-apl/commits?author=ravichauhan03\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003ca href=\"https://github.com/charugarg93\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/31308623?v=4?s=100\" width=\"100px;\" alt=\"\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003echarugarg93\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/intuit/identity-authz-apl/commits?author=charugarg93\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003ca href=\"https://www.linkedin.com/in/baladutt/\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/2161684?v=4?s=100\" width=\"100px;\" alt=\"\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eBala Dutt\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/intuit/identity-authz-apl/commits?author=baladutt\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003ca href=\"https://github.com/sachinmaheshwari\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/10795268?v=4?s=100\" width=\"100px;\" alt=\"\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eSachin Maheshwari\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/intuit/identity-authz-apl/commits?author=sachinmaheshwari\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003ca href=\"https://github.com/raghuscgithub\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/13479033?v=4?s=100\" width=\"100px;\" alt=\"\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eraghusc\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/intuit/identity-authz-apl/commits?author=raghuscgithub\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\u003c!-- markdownlint-restore --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\nThis project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintuit%2Fidentity-authz-apl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fintuit%2Fidentity-authz-apl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintuit%2Fidentity-authz-apl/lists"}