Back to Blog

The Policy Engine: Compiling ABAC Rules into Abstract Syntax Trees

• By ObjectOS Engineering

The Policy Engine: Compiling ABAC Rules into ASTs

"Security as a Primitive" means security cannot be an afterthought. In ObjectOS, the access control system is an Attribute-Based Access Control (ABAC) engine that sits directly in front of the Data Access Layer.

Instead of fetching data and then filtering it (which is slow and insecure pagination-wise), ObjectOS compiles security rules into the database query.

1. Defining Policies (The DSL)

We allow defining declarative permission rules (Sharing Rules).

# policies/sales_rep.yaml
target: sales_order
rule:
  - effect: allow
    action: [read, update]
    condition:
      owner: "{user.id}"
      amount: 
        $lt: 10000

2. The Compiler: Predicate Push-Down

When a user executes objectos.find('sales_order'), the Kernel intercepts the call.

  1. Context Resolution: It extracts the User ID (u_123) from the Context.
  2. Rule Eval: It finds all matching rules for this user role.
  3. AST Injection: It converts the YAML condition into an ObjectQL Abstract Syntax Tree (AST).

Conceptually: From: SELECT * FROM sales_order To: SELECT * FROM sales_order WHERE (owner = 'u_123' AND amount < 10000)

Dealing with Complexity (OR vs AND)

If a user has multiple roles (e.g., "Sales Rep" AND "Regional Manager"), the Compiler combines the ASTs using OR logic.

-- Compiled Query
SELECT * FROM sales_order 
WHERE 
  -- Role: Sales Rep
  (owner = 'u_123' AND amount < 10000)
  OR
  -- Role: Regional Manager
  (region = 'North-East')

3. Field-Level Security AST

ObjectOS also supports Field-Level Security (FLS). If a user cannot see the margin field, we don't just "hide" it in the UI. We strip it from the SELECT clause.

The Query Planner iterates through the requested fields:

const allowedFields = requestedFields.filter(field => 
  policyEngine.can(user, 'read_field', 'sales_order', field)
);
// Generates: SELECT id, date, amount FROM ... (omits 'margin')

4. Performance Implications

This "compile-time" (query-construction time) approach has massive performance benefits over middleware filtering:

  1. Database Index Usage: because the security rules become WHERE clauses, the database can use indices (idx_owner, idx_region) to speed up the query. Middleware filtering scans the whole table.
  2. Correct Pagination: LIMIT 10 returns exactly 10 accessible records, rather than fetching 1000 and filtering down to 3.

5. Conclusion

Security in ObjectOS is a compiler problem. By transforming high-level ABAC policies into low-level SQL AST nodes, we ensure that Performance and Security do not trade off against each other. You get both.