Extensible Access Control Markup Language is an attribute-based access control policy language or XML-based language, designed to express security policies and access requests to information.
XACML can be used for web services, digital rights management, and enterprise security applications. XACML is sometimes referred to as Extensible Access Control Language.
XACML is used to promote interoperability and common terminology for access control implementations, where access attributes associated with a user are used to decide whether a user may have access to a specific resource.
Instead of an attribute-based access control, XACML can also be used as a role-based access control (RBAC). To be clear, though, XACML does not handle user access, approval, or password management.
XACML simply provides the following:
Ratified by the Organization for the Advancement of Structured Information Standards (OASIS) in February 2003, XACML 1.0 was developed to standardize access control through XML. For example, with XACML, a worker can access several affiliated websites with a single login.
The XACML specifications were developed through a collaborative effort of OASIS members including IBM, Sun Microsystems and Entrust.
The latest version is XACML 3.0, released by OASIS in January 2013.
The following are terms used with XACML policies.
Policy Administration Point (PAP). PAP is the point which manages access authorization policies.
Policy Decision Point (PDP). This is the point where access requests are evaluated against authorization policies before issuing access decisions.
Policy Enforcement Point (PEP). The PEP is where user access requests are intercepted to make a decision request to the PDP.
The typical flow of an XACML request is as follows:
The following is a high-level overview of the various elements that make up an XACML policy.
The structure of XACML is split into the following three sections:
All policy sets, requests and sets of rules use resources, subjects, environments and actions. These are typically denoted in XACML syntax as "attributeID."
XACML language defines a target, which is the conditions for a resource, subject, resource or action that are necessary to meet access requirements and provide an authorization decision.
Since its creation, the XACML Technical Committee has created new profiles to facilitate developer integration, including the following:
With these profiles, integrating authorization into applications has been made much easier for software development teams.
There are a few additional policy languages that have similar functions to XACML.
Similar to XACML, Open Policy Agent (OPA) provides a policy decision point, policy language (Rego) and an externalized authorization. This standard focuses on infrastructure authorization as opposed to API-centric authorization, which XACML covers.
XACML was designed to work in conjunction with Security Assertion Markup Language (SAML), another OASIS standard. SAML defines a means of sharing authentication information, such as user passwords and security clearance, between security systems.
A rules engine -- a program that examines established rules and suggests behaviors that comply with them -- with policies expressed in XACML can compare such information with established criteria to ascertain user rights.
30 Sep 2021