Permit.io just published the results of a survey they conducted with over 200 developers on access control. There's lots of good data there, but one thing that struck me is that over 50% of developers said that they've never used any of the popular policy languages. I was wondering why that could be and came up with a few reasons why policy languages often feel foreign and frustrating:
This is because a lot of the languages (OPA Rego, XACML, Oso Polar) are built as declarative languages not imperative programming languages. In addition Rego builds on top of Datalog which makes it even harder to understand. What we need is human-readable, hierarchical, and constrained policy languages. ALFA (and the future ALFA 2.0 in the works at IETF) gives you that. It's easy enough for anyone to at least read and most to write. Check out the samples on alfa.guide and let me know what you think.
This is because a lot of the languages (OPA Rego, XACML, Oso Polar) are built as declarative languages not imperative programming languages. In addition Rego builds on top of Datalog which makes it even harder to understand. What we need is human-readable, hierarchical, and constrained policy languages. ALFA (and the future ALFA 2.0 in the works at IETF) gives you that. It's easy enough for anyone to at least read and most to write. Check out the samples on alfa.guide and let me know what you think.