How Can I Use Booleans in a XACML Target?

The Data Type

The XACML identifier for the boolean data type is and the values accepted are ‘true’, ‘false’, ‘1’ and ‘0’. Note that booleans have to be specified in lowercase characters, so ‘True’ is considered as ‘false’.

XACML inherits the data type from the XML schema which defines it in this document.

Example Attributes

Booleans are great to express the state of certain objects we are using in access control. For instance, we may want to check whether a document is published. This would lead to the creation of an attribute called isPublished. In XACML, try to follow the same convention as in Java and other programming languages in terms of naming your boolean attributes.

Other uses include the ability to express an age via a boolean rather than via the age itself. For instance an attribute called over18.

Policy Example in ALFA

The Abbreviated Language For Authorization (4,5,6) supports the boolean data type as defined in the OASIS XACML Core Specification. Here follows an example of a simple policy with a rule and a target using boolean attributes: 

namespace exampleBoolean {
   policy documentsAccess {
       target clause itemType=="document" and roleType == “employee”
       apply firstApplicable
       rule readDocument {
           target clause isPublished == true


Given that attributes in XACML can be multi-valued (0, 1, or more values), think about what it means to not have a value for a boolean or to have more than 1. For instance if access is allowed if isPublished==true, what happens if there is no value for isPublished? Access would be denied. What happens if isPublished is both true and false? Access would be allowed. What then of negative rules e.g. “Deny if over18 == false”? If we do not know whether the person is over 18, then we will be letting them in. Was that the intended effect?

Think about controlling the number of values for an attribute. This applies to boolean but also other data types. More on that in a future Question of the Week.

Additional Reading

Other Blogs

3 keys to re-evaluate your authorization management
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...