XACML
The eXtensible Access Control Markup Language (XACML) is an XML-based standard markup language for specifying access control policies. The standard, published by OASIS, defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.[2]
| Paradigm | Declarative programming |
|---|---|
| Developer | Organization for the Advancement of Structured Information Standards (OASIS) |
| First appeared | April 16, 2001[1] |
| License | OASIS |
| Filename extensions | .xml , .alfa |
| Website | www.oasis-open.org |
| Major implementations | |
| Axiomatics, AuthzForce | |
| Dialects | |
| ALFA (XACML) | |
| Influenced by | |
| XML, SAML | |
| Influenced | |
| ALFA (XACML) | |
XACML is primarily an attribute-based access control system. In XACML, attributes – information about the subject accessing a resource, the resource to be addressed, and the environment – act as inputs for the decision of whether access is granted or not.[3] XACML can also be used to implement role-based access control.[4]
In XACML, access control decisions to be taken are expressed as Rules. Each Rule comprises a series of conditions which decide whether a given request is approved or not. If a Rule is applicable to a request but the conditions within the Rule fail to evaluate, the result is Indeterminate. Rules are grouped together in Policies, and a PolicySet contains Policies and possibly other PolicySets. Each of these also includes a Target, a simple condition that determines whether it should be evaluated for a given request. Combining algorithms can be used to combine Rules and Policies with potentially differing results in various ways. XACML also supports obligations and advice expressions. Obligations specify actions which must be executed during the processing of a request, for example for logging. Advice expressions are similar, but may be ignored.[3]
XACML separates access control functionality into several components. Each operating environment in which access control is used has a Policy Enforcement Point (PEP) which implements the functionality to demand authorization and to grant or deny access to resources. These refer to an environment-independent and central Policy Decision Point (PDP) which actually makes the decision on whether access is granted. The PDP refers to policies stored in the Policy Retrieval Point (PRP). Policies are managed through a Policy Administration Point (PAP).[3]
Version 3.0 was ratified by OASIS in January 2013.[5]
See also
References
- Best, Karl (16 April 2001). "OASIS TC call for participation: XACML". OASIS. Retrieved 31 October 2016.
- "pure-xacml". www.axiomatics.com. Retrieved 2016-04-27.
- Ferraiolo, David; Chandramouli, Ramaswamy; Hu, Vincent; Kuhn, Rick (October 2016). A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications (Report). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-178.
- See for example De la Rosa Algarín, Alberto; Ziminski, Timoteus B.; Demurjian 1, Steven A.; Kuykendall, Robert; Rivera Sánchez, Yaira K. (2013). Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework. Proceedings of the 9th International Conference on Web Information Systems and Technologies. doi:10.5220/0004366200160025.
- eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard, eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard.