Angel \”Java\” Lopez on Blog

December 18, 2012

First Ideas for a Claim Rule Engine

Filed under: AjSharp, C Sharp, Claims, Federated Security, Open Source Projects, Rule Engine — ajlopez @ 4:29 pm

I am looking for applications of my scripting languages. I want to use AjLang, the core of AjSharp, written in C#. One use case could be a claim rule engine. To understand what I have in mind, and the federated security jargon/landscape, see:

The Role of the Claims Engine
The Role of the Claim Rule Language
The Role of Claim Rules
The Role of the Claims Pipeline
The Role of Claims

Given a set of input claims, the system should produce a set of output claims, using user defined rules. A rule could be written as:

rule RuleEmail
   description “….”
when
   claim cmail
   cmail in InputClaims
   cmail.Type == “email” 
   cmail.Value.EndsWith(
“@acme.com”)
then
   claim cname = new Claim(…. )
   // more cname processing, maybe extracting a value from email
   OutputClaims.Add(cname)
end rule

Something like my example at https://github.com/ajlopez/AjRools/blob/master/Src/AjRools.Expert/AjRools.Expert.Tests/Files/SimpleRule.txt but more oriented to C# syntax (i.e. the use of native .EndsWith in the above example)

If I had omitted cmail in InputClaims, the claim will be searched in all claim sets.

Additional item: to have a web interface to edit and browse rules.

The rules would be executed in order. I could write rule sets, to group rules to be executed. For example: Identity Provider rule set, to be applied to the claim set provider by an IP, i.e. Windows Live, Yahoo, etc. Or a Relying Party rule set, defined by application: accounting system, human resource system, finance, etc..

In the “then” part, additional functions could be call. The functions would be added by the developer to the rule engine environment, maybe with dynamic loading of a library. Then, the actions will be extensible by code. The “when” part could use additional predicates, too. But the base idea is to have an initial set of predicates and actions that cover the main use cases: testing property values, creating new claims, setting their property values, adding to a claim set (InputClaims, OutputClaims or any other set defined by the programmer).

One thing to decide: what happens if there are TWO or more claims that satisfy then when clause? the rule should fire only once? or n times? I remember the cut operator from Prolog, but I guess it could be simpler. I should explore the use cases.

No time allocated for these ideas, yet. But keep tuned!

Angel “Java” Lopez
http://www.ajlopez.com
http://twitter.com/ajlopez

Blog at WordPress.com.