XACML

Last updated
XACML
Paradigm Declarative programming
Developer Organization for the Advancement of Structured Information Standards (OASIS)
First appearedApril 16, 2001;23 years ago (2001-04-16) [1]
License OASIS
Filename extensions .xml, .alfa
Website www.oasis-open.org
Major implementations
Axiomatics, AuthzForce
Dialects
ALFA (XACML)
Influenced by
XML, SAML
Influenced
ALFA (XACML)

The eXtensible Access Control Markup Language (XACML) is an XML-based standard markup language for specifying access control policies. The standard, published by OASIS, defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. [2]

Contents

XACML is primarily an attribute-based access control system. In XACML, attributes information about the subject accessing a resource, the resource to be addressed, and the environment act as inputs for the decision of whether access is granted or not. [3] XACML can also be used to implement role-based access control. [4]

In XACML, access control decisions to be taken are expressed as Rules. Each Rule comprises a series of conditions which decide whether a given request is approved or not. If a Rule is applicable to a request but the conditions within the Rule fail to evaluate, the result is Indeterminate. Rules are grouped together in Policies, and a PolicySet contains Policies and possibly other PolicySets. Each of these also includes a Target, a simple condition that determines whether it should be evaluated for a given request. Combining algorithms can be used to combine Rules and Policies with potentially differing results in various ways. XACML also supports obligations and advice expressions. Obligations specify actions which must be executed during the processing of a request, for example for logging. Advice expressions are similar, but may be ignored. [3]

XACML separates access control functionality into several components. Each operating environment in which access control is used has a Policy Enforcement Point (PEP) which implements the functionality to demand authorization and to grant or deny access to resources. These refer to an environment-independent and central Policy Decision Point (PDP) which actually makes the decision on whether access is granted. The PDP refers to policies stored in the Policy Retrieval Point (PRP). Policies are managed through a Policy Administration Point (PAP). [3]

Version 3.0 was ratified by OASIS in January 2013. [5]

History

Version 1.0 was ratified by OASIS standards organization in 2003.[ citation needed ]

Version 2.0 was ratified by OASIS standards organization on February 1, 2005.[ citation needed ]

Version 3.0 was ratified by OASIS in January 2013.

Architecture

Terminology

Non-normative terminology (following RFC 2904, except for PAP)

Abbr.TermDescription
PAPPolicy Administration PointPoint which manages access authorization policies
PDPPolicy Decision PointPoint which evaluates access requests against authorization policies before issuing access decisions
PEPPolicy Enforcement PointPoint which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision

(i.e. access to the resource is approved or rejected), and acts on the received decision

PIPPolicy Information PointThe system entity that acts as a source of attribute values (i.e. a resource, subject, environment)
PRPPolicy Retrieval PointPoint where the XACML access authorization policies are stored, typically a database or the filesystem.

Flow

This image shows the XACML architecture and a sample authorization flow. XACML Architecture & Flow.png
This image shows the XACML architecture and a sample authorization flow.
  1. A user sends a request which is intercepted by the Policy Enforcement Point (PEP)
  2. The PEP converts the request into a XACML authorization request
  3. The PEP forwards the authorization request to the Policy Decision Point (PDP)
  4. The PDP evaluates the authorization request against the policies it is configured with. The policies are acquired via the Policy Retrieval Point (PRP) and managed by the Policy Administration Point (PAP). If needed it also retrieves attribute values from underlying Policy Information Points (PIP).
  5. The PDP reaches a decision (Permit / Deny / NotApplicable / Indeterminate) and returns it to the PEP

Policy elements

Structural elements

XACML is structured into 3 levels of elements:

A policy set can contain any number of policy elements and policy set elements. A policy can contain any number of rule elements.

Attributes and categories

Policies, policy sets, rules and requests all use subjects, resources, environments, and actions.

Targets

XACML provides a target, which is basically a set of simplified conditions for the subject, resource, and action that must be met for a policy set, policy, or rule to apply to a given request. Once a policy or policy set is found to apply to a given request, its rules are evaluated to determine the access decision and response.

In addition to being a way to check applicability, target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. When a request to access that service arrives, the PDP will know where to look for policies that might apply to this request because the policies are indexed based on their target constraints. Note that a target may also specify that it applies to any request.

Policy set, policy and rule can all contain target elements.

Conditions

Conditions only exist in rules. Conditions are essentially an advanced form of a target which can use a broader range of functions and more importantly can be used to compare two or more attributes together, e.g. subject-id==doctor-id. With conditions, it is possible to implement segregation of duty checks or relationship-based access control.

Obligations & Advice

Within XACML, a concept called obligations can be used. An obligation is a directive from the policy decision point (PDP) to the policy enforcement point (PEP) on what must be carried out before or after an access is approved. If the PEP is unable to comply with the directive, the approved access may or must not be realized. The augmentation of obligations eliminates a gap between formal requirements and policy enforcement. An example of an obligation could look like this:

Access control rule:           Allow access to resource MedicalJournal with attribute patientID=x                  if Subject match DesignatedDoctorOfPatient                 and action is read           with obligation                on Permit: doLog_Inform(patientID, Subject, time)                on Deny  : doLog_UnauthorizedLogin(patientID, Subject, time)

The XACML's obligation can be an effective way to meet formal requirements (non-repudiation for example) that can be hard to implement as access control rules. Furthermore, any formal requirements will be part of the access control policy as obligations and not as separate functions, which makes policies consistent and centralization of the IT environment easier to achieve.

Obligations can be used for "break-the-glass" scenarios or trust elevation ("you cannot transfer $1,000 without two-factor authentication - here is the link to the 2FA page").

In addition to obligations, XACML supports advice which are identical to obligations with the difference that a PEP is not obligated to enforce the advice (hence its name).

Combining algorithms

What happens in XACML if there are two rules (or policies) that contradict each other? Imagine for instance a first rule that would say managers can view documents and a second rule that would say no one can work before 9am. What if the request is about Alice trying to view a document at 8am? Which rule wins? This is what combining algorithms tell us. They help resolve conflicts.

XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of policies.

Functions

XACML defines a long list of functions (close to 300) to manipulate and compare attributes to other attributes and values:

The functions and their identifiers are fully described in the standard. Functions are type-specific i.e. there is a function for string equality and a different one for integer equality.

Equality, inequality and other matching functions

Arithmetic functions

Refer to the standard for a formal definition of these function.

String functions

Refer to the standard for a formal definition of these function.

Logical functions (and, or, not)

Set and bag functions

Regular expression functions

XPath functions

Higher order functions

The list of higher order functions is as listed below. For a formal definition, refer to the XACML standard.

XACML 3.0

Schema

http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd

Data types

New in XACML 3.0

New profiles

XACML 3.0 introduces administrative delegation, the JSON Profile of XACML (request/response), the REST Profile of XACML, the Multiple Decision Profile of XACML, and many more.

Delegation

The implementation of delegation is new in XACML 3.0. The delegation mechanism is used to support decentralized administration of access policies. It allows an authority (delegator) to delegate all or parts of its own authority or someone else's authority to another user (delegate) without any need to involve modification of the root policy.

This is because, in this delegation model, the delegation rights are separated from the access rights. These are instead referred to as administrative control policies. Access control and administrative policies work together as in the following scenario:

A partnership of companies' many services are protected by an access control system. The system implements the following central rules to protect its resources and to allow delegation:

Access control rules:                Allow access                     to resource with attribute WebService                      if subject is Employee and action is read or write.                 Administration control rules:                Allow delegation of access control rule #1                       to subjects with attribute Consultant.               Conditions:                           delegation must expire within 6 months,                          resource must not have attribute StrictlyInternal.

(Attributes can be fetched from an external source, e.g. a LDAP catalog.)

When a consultant enters the corporation, a delegation can be issued locally by the consultant's supervisor, authorizing the consultant access to systems directly.

The delegator (the supervisor in this scenario) may only have the right to delegate a limited set of access rights to consultants.

Other features

Other new features of XACML 3.0 are listed at http://www.webfarmr.eu/2010/07/enhancements-and-new-features-in-xacml-3-axiomatics/

The XACML TC is also publishing a list of changes here: http://wiki.oasis-open.org/xacml/DifferencesBetweenXACML2.0AndXACML3.0

Sample policies

Date and time-based authorization in XACML

This rule implements the use-it-lose-it access control paradigm. If a user does not log in for 30 days, then they lose access.

In pseudo-code: deny if currentDateTime > lastLogin + 30 days

'''<Rule''' RuleId="f6637b3f-3690-4cce-989c-2ce9c053d6fa" Effect="Deny"'''>'''   '''<Description>'''Use it or lose it: this policy denies access if lastLogin is more than 30 days away from today's date'''</Description>'''   '''<Target/>'''   '''<Condition>'''    '''<Apply''' FunctionId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:function:any-of</span>"'''>'''     '''<Function''' FunctionId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than</span>"'''/>'''     '''<Apply''' FunctionId="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration</span>"'''>'''      '''<Apply''' FunctionId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:function:dateTime-one-and-only</span>"'''>'''       '''<AttributeDesignator'''        Category="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</span>"        AttributeId="com.acme.user.lastLogin"        DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#dateTime</span>" MustBePresent="false"'''/>'''      '''</Apply>'''      '''<AttributeValue''' DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#dayTimeDuration</span>"'''>'''P30D'''</AttributeValue>'''     '''</Apply>'''     '''<AttributeDesignator'''      Category="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</span>"      AttributeId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:environment:current-dateTime</span>"      DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#dateTime</span>" MustBePresent="false"'''/>'''    '''</Apply>'''   '''</Condition>'''  '''</Rule>'''

Time-based authorization in XACML

This rule grants access if the current time is greater than 9am and less than 5pm.

'''<Rule''' RuleId="c01d7519-be21-4985-88d8-10941f44590a" Effect="Permit"'''>'''   '''<Description>'''Allow if time between 9 and 5'''</Description>'''   '''<Target>'''    '''<AnyOf>'''     '''<AllOf>'''      '''<Match''' MatchId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:function:time-greater-than</span>"'''>'''       '''<AttributeValue''' DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#time</span>"'''>'''09:00:00'''</AttributeValue>'''       '''<AttributeDesignator'''        Category="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</span>"        AttributeId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:environment:current-time</span>"        MustBePresent="false"        DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#time</span>"'''/>'''      '''</Match>'''     '''</AllOf>'''    '''</AnyOf>'''    '''<AnyOf>'''     '''<AllOf>'''      '''<Match''' MatchId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:function:time-less-than</span>"'''>'''       '''<AttributeValue''' DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#time</span>"'''>'''17:00:00'''</AttributeValue>'''       '''<AttributeDesignator'''        Category="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</span>"        AttributeId="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:environment:current-time</span>"        MustBePresent="false"        DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#time</span>"'''/>'''      '''</Match>'''     '''</AllOf>'''    '''</AnyOf>'''   '''</Target>'''  '''</Rule>'''

Sample requests and responses

XACML 3.0 request

'''<xacml-ctx:Request''' ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:core:schema:wd-17</span>"'''>'''     '''<xacml-ctx:Attributes''' Category="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:attribute-category:action</span>" '''>'''        '''<xacml-ctx:Attribute''' AttributeId="actionId" IncludeInResult="true"'''>'''           '''<xacml-ctx:AttributeValue''' DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#string</span>"'''>'''view'''</xacml-ctx:AttributeValue>'''        '''</xacml-ctx:Attribute>'''     '''</xacml-ctx:Attributes>'''     '''<xacml-ctx:Attributes''' Category="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</span>" '''>'''        '''<xacml-ctx:Attribute''' AttributeId="resource-id" IncludeInResult="true"'''>'''           '''<xacml-ctx:AttributeValue''' DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#string</span>"'''>'''doc#123'''</xacml-ctx:AttributeValue>'''        '''</xacml-ctx:Attribute>'''     '''</xacml-ctx:Attributes>'''     '''<xacml-ctx:Attributes''' Category="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</span>" '''>'''        '''<xacml-ctx:Attribute''' AttributeId="user.identifier" IncludeInResult="true"'''>'''           '''<xacml-ctx:AttributeValue''' DataType="<span class="plainlinks">http://www.w3.org/2001/XMLSchema#string</span>"'''>'''Alice'''</xacml-ctx:AttributeValue>'''        '''</xacml-ctx:Attribute>'''     '''</xacml-ctx:Attributes>'''  '''</xacml-ctx:Request>'''

XACML 3.0 responses

XACML 3.0 sample response

<xacml-ctx:Response xmlns:xacml-ctx=" urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 "><xacml-ctx:Result><xacml-ctx:Decision>NotApplicable</xacml-ctx:Decision><xacml-ctx:Status><xacml-ctx:StatusCode Value=" urn:oasis:names:tc:xacml:1.0:status:ok "/></xacml-ctx:Status></xacml-ctx:Result></xacml-ctx:Response>

XACML 3.0 sample response with obligation

The following contains an Obligation block. Obligations are statements that can be returned along with a decision to enrich the decision flow. In this example, the PEP must log that access was granted.

'''<xacml-ctx:Response''' xmlns:xacml-ctx="<span class="plainlinks">urn:oasis:names:tc:xacml:3.0:core:schema:wd-17</span>"'''>'''    '''<xacml-ctx:Result>'''      '''<xacml-ctx:Decision>'''Permit'''</xacml-ctx:Decision>'''      '''<xacml-ctx:Status>'''        '''<xacml-ctx:StatusCode''' Value="<span class="plainlinks">urn:oasis:names:tc:xacml:1.0:status:ok</span>"'''/>'''      '''</xacml-ctx:Status>'''      '''<xacml-ctx:Obligations>'''        '''<xacml-ctx:Obligation''' ObligationId="logAccess"'''>'''        '''</xacml-ctx:Obligation>'''      '''</xacml-ctx:Obligations>'''      '''<xacml-ctx:PolicyIdentifierList>'''        '''<xacml-ctx:PolicyIdReference''' Version="1.0"'''>'''<span class="plainlinks">http://www.axiomatics.com/automatic-unique-id/18a9eae9-c92b-4087-b2ac-c5a33d7ff477</span>'''</xacml-ctx:PolicyIdReference>'''      '''</xacml-ctx:PolicyIdentifierList>'''    '''</xacml-ctx:Result>'''  '''</xacml-ctx:Response>'''

The Multiple Decision Profile of XACML 3.0

By default a PDP processes a single request at a time e.g. "Can Alice view item #1?". The PDP then replies with a single decision. At times, though, it is necessary to send multiple requests in one go e.g. "Can Alice view / edit / delete items #1, #2, #3?". The Multiple Decision Profile of XACML allows for this use case. The PDP will typically do the product of all combinations i.e. in the example aforementioned there will be 1 x 3 x 3 = 9 decisions returned in a single response.

Sample JSON Request for the Multiple Decision Profile

The way to enable the MDP is to send an array of objects for any of the categories rather than an array of one object (or simply an object). For instance, AccessSubject is an object but Resource is an array of objects. The latter will trigger the MDP process in PDPs that support the profile. Note as well the use of the IncludeInResult attribute which tells the PDP to return the XACML attribute and its value in the response so that decisions can be correlated to the relevant attribute values.

{   "Request": {     "ReturnPolicyIdList": true,     "AccessSubject": {       "Attribute": [{         "AttributeId": "com.acme.user.username",         "Value": "Alice"       }]     },     "Resource": [{       "Attribute": [{         "AttributeId": "com.acme.objectType",         "Value": "record"       }, {         "AttributeId": "com.acme.record.recordId",         "Value": "123",         "IncludeInResult": true       }]     },{       "Attribute": [{         "AttributeId": "com.acme.objectType",         "Value": "record"       }, {         "AttributeId": "com.acme.record.recordId",         "Value": "124",         "IncludeInResult": true       }]     },{       "Attribute": [{         "AttributeId": "com.acme.objectType",         "Value": "record"       }, {         "AttributeId": "com.acme.record.recordId",         "Value": "125",         "IncludeInResult": true       }]     }],     "Action": [{       "Attribute": [{         "AttributeId": "com.acme.action",         "Value": "view",         "IncludeInResult": true       }]     },{       "Attribute": [{         "AttributeId": "com.acme.action",         "Value": "edit",         "IncludeInResult": true       }]     },{       "Attribute": [{         "AttributeId": "com.acme.action",         "Value": "delete",         "IncludeInResult": true       }]     }]   } }

Sample JSON Response for the Multiple Decision Profile

{   "Response": [     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "AssociatedAdvice": {         "Id": "com.acme.message",         "AttributeAssignment": [           {             "AttributeId": "com.acme.messageContent",             "Value": "Access denied - insufficient clearance.",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:environment ",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           },           {             "AttributeId": "com.acme.user.clearance",             "Value": "1",             "Category": " urn:oasis:names:tc:xacml:1.0:subject-category:access-subject ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           },           {             "AttributeId": "com.acme.record.classification",             "Value": "3",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           }         ]       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "125",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "view",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": [           {             "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",             "Version": "1"           },           {             "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",             "Version": "1"           }         ],         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "AssociatedAdvice": {         "Id": "com.acme.message",         "AttributeAssignment": [           {             "AttributeId": "com.acme.messageContent",             "Value": "Access denied - insufficient clearance.",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:environment ",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           },           {             "AttributeId": "com.acme.user.clearance",             "Value": "1",             "Category": " urn:oasis:names:tc:xacml:1.0:subject-category:access-subject ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           },           {             "AttributeId": "com.acme.record.classification",             "Value": "2",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           }         ]       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "124",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "view",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": [           {             "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",             "Version": "1"           },           {             "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",             "Version": "1"           }         ],         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "123",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "edit",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": {           "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",           "Version": "1"         },         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "123",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "delete",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": {           "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",           "Version": "1"         },         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "AssociatedAdvice": {         "Id": "com.acme.message",         "AttributeAssignment": [           {             "AttributeId": "com.acme.messageContent",             "Value": "Access denied - insufficient clearance.",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:environment ",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           },           {             "AttributeId": "com.acme.user.clearance",             "Value": "1",             "Category": " urn:oasis:names:tc:xacml:1.0:subject-category:access-subject ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           },           {             "AttributeId": "com.acme.record.classification",             "Value": "3",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           }         ]       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "125",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "delete",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": [           {             "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",             "Version": "1"           },           {             "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",             "Version": "1"           }         ],         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "AssociatedAdvice": {         "Id": "com.acme.message",         "AttributeAssignment": [           {             "AttributeId": "com.acme.messageContent",             "Value": "Access denied - insufficient clearance.",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:environment ",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           },           {             "AttributeId": "com.acme.user.clearance",             "Value": "1",             "Category": " urn:oasis:names:tc:xacml:1.0:subject-category:access-subject ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           },           {             "AttributeId": "com.acme.record.classification",             "Value": "3",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           }         ]       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "125",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "edit",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": [           {             "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",             "Version": "1"           },           {             "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",             "Version": "1"           }         ],         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "AssociatedAdvice": {         "Id": "com.acme.message",         "AttributeAssignment": [           {             "AttributeId": "com.acme.messageContent",             "Value": "Access denied - insufficient clearance.",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:environment ",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           },           {             "AttributeId": "com.acme.user.clearance",             "Value": "1",             "Category": " urn:oasis:names:tc:xacml:1.0:subject-category:access-subject ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           },           {             "AttributeId": "com.acme.record.classification",             "Value": "2",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           }         ]       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "124",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "delete",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": [           {             "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",             "Version": "1"           },           {             "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",             "Version": "1"           }         ],         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "123",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "view",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": {           "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",           "Version": "1"         },         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     },     {       "Decision": "Deny",       "Status": {         "StatusCode": {           "Value": " urn:oasis:names:tc:xacml:1.0:status:ok "         }       },       "AssociatedAdvice": {         "Id": "com.acme.message",         "AttributeAssignment": [           {             "AttributeId": "com.acme.messageContent",             "Value": "Access denied - insufficient clearance.",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:environment ",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           },           {             "AttributeId": "com.acme.user.clearance",             "Value": "1",             "Category": " urn:oasis:names:tc:xacml:1.0:subject-category:access-subject ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           },           {             "AttributeId": "com.acme.record.classification",             "Value": "2",             "Category": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",             "DataType": " http://www.w3.org/2001/XMLSchema#integer "           }         ]       },       "Category": [         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:resource ",           "Attribute": {             "AttributeId": "com.acme.record.recordId",             "Value": "124",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         },         {           "CategoryId": " urn:oasis:names:tc:xacml:3.0:attribute-category:action ",           "Attribute": {             "AttributeId": "com.acme.action",             "Value": "edit",             "DataType": " http://www.w3.org/2001/XMLSchema#string "           }         }       ],       "PolicyIdentifierList": {         "PolicyIdReference": [           {             "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",             "Version": "1"           },           {             "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",             "Version": "1"           }         ],         "PolicySetIdReference": [           {             "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",             "Version": "1"           },           {             "Id": " http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54 ",             "Version": "1.0"           }         ]       }     }   ] }

Developer orientation

In 2013 and 2014, the XACML Technical Committee focused on designing new profiles to facilitate developer integration. These include:

All three profiles were showcased at the Cloud Identity Summit 2014 in Monterey, California. Using these profiles, integrating fine-grained authorization into applications becomes much easier.

The ALFA Profile of XACML

ALFA stands for Abbreviated Language for Authorization. It is a lightweight syntax used to implement policy-based access control policies. For examples refer to the main article.

The JSON Profile of XACML

The JSON profile of XACML simplifies the integration between the PEP and the PDP.

Sample JSON request

 {     "Request": {         "AccessSubject": {             "Attribute": [                 {                     "AttributeId": "com.acme.user.employeeId",                     "Value": "Alice"                 }             ]         },         "Resource": {             "Attribute": [                 {                     "AttributeId": "com.acme.record.recordId",                     "Value": "123"                 },                 {                     "AttributeId": "com.acme.object.objectType",                     "Value": "record"                 }             ]         },         "Action": {             "Attribute": [                 {                     "AttributeId": "com.acme.action.actionId",                     "Value": "view"                 }             ]         },         "Environment": {             "Attribute": []         }     }  }

Sample JSON response

 {   "Response" : {     "Decision" : "Permit",     "Status" : {       "StatusCode" : {         "Value" : " urn:oasis:names:tc:xacml:1.0:status:ok "       }     }   }  }

XACML and other standards

XACML and Open Policy Agent

XACML is almost entirely a policy definition language based on XML and XSLT, defined by an open OASIS specification. The XACML specification  does not cover the design or implementation of Policy Decision Point (PDP), only the policy language they consume. Many proprietary and open-source PDPs use XACML as their policy definition language.

Open Policy Agent (OPA) is an open-source Policy Decision Point (PDP) implementation, capable of interpreting policy language to render policy decisions. OPA is a general-purpose PDP implementation which can be used for any scenario where a policy decision is required, much like PDP implementations that support the XACML specification.

OPA's policy definition language is (Rego), which is a JSON-based, Turing-incomplete language based on Datalog.

Policies written in XACML can be translated to Rego, and vice-versa.

XACML and SAML

Example of cross-enterprise federation where two enterprises federate using SAML and two Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted to the application functionality (functional access control) and the data behind it (data access control). Cross-Enterprise Federation using SAML and XACML.png
Example of cross-enterprise federation where two enterprises federate using SAML and two Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted to the application functionality (functional access control) and the data behind it (data access control).

SAML is an identity SSO and federation standard used for authentication. SAML is used as a common identity token format between different applications. SAML and XACML are both defined by OASIS. SAML and XACML were designed to interoperate where SAML is used to carry identity information / virtual identities and XACML is used to drive the access control logic through policies.

XACML and OAuth

OAuth 2.0 is considered to be an authorization standard. It differs from XACML though in its origin, its purpose, and its applications. OAuth is about:

XACML does not handle user approval or delegated access or password management. XACML simply provides:

XACML and OAuth can be combined to deliver a more comprehensive approach to authorization.

See also

Related Research Articles

A Uniform Resource Identifier (URI), formerly Universal Resource Identifier, is a unique sequence of characters that identifies an abstract or physical resource, such as resources on a webpage, mail address, phone number, books, real-world objects such as people and places, concepts. URIs are used to identify anything described using the Resource Description Framework (RDF), for example, concepts that are part of an ontology defined using the Web Ontology Language (OWL), and people who are described using the Friend of a Friend vocabulary would each have an individual URI.

The Resource Description Framework (RDF) is a method to describe and exchange graph data. It was originally designed as a data model for metadata by the World Wide Web Consortium (W3C). It provides a variety of syntax notations and data serialization formats, of which the most widely used is Turtle.

The Organization for the Advancement of Structured Information Standards is a nonprofit consortium that works on the development, convergence, and adoption of projects - both open standards and open source - for Computer security, blockchain, Internet of things (IoT), emergency management, cloud computing, legal data exchange, energy, content technologies, and other areas.

<span class="mw-page-title-main">Geography Markup Language</span> XML grammar for geographical features

The Geography Markup Language (GML) is the XML grammar defined by the Open Geospatial Consortium (OGC) to express geographical features. GML serves as a modeling language for geographic systems as well as an open interchange format for geographic transactions on the Internet. Key to GML's utility is its ability to integrate all forms of geographic information, including not only conventional "vector" or discrete objects, but coverages and sensor data.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

The Web Application Description Language (WADL) is a machine-readable XML description of HTTP-based web services. WADL models the resources provided by a service and the relationships between them. WADL is intended to simplify the reuse of web services that are based on the existing HTTP architecture of the Web. It is platform and language independent and aims to promote reuse of applications beyond the basic use in a web browser. WADL was submitted to the World Wide Web Consortium by Sun Microsystems on 31 August 2009, but the consortium has no current plans to standardize it. WADL is the REST equivalent of SOAP's Web Services Description Languages (WSDL), which can also be used to describe REST web services.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

The Pronunciation Lexicon Specification (PLS) is a W3C Recommendation, which is designed to enable interoperable specification of pronunciation information for both speech recognition and speech synthesis engines within voice browsing applications. The language is intended to be easy to use by developers while supporting the accurate specification of pronunciation information for international use.

Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.

WS-Security Policy is a web services specification, created by IBM and 12 co-authors, that has become an OASIS standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security, WS-Trust and WS-Secure Conversation by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework.

XML documents typically refer to external entities, for example the public and/or system ID for the Document Type Definition. These external relationships are expressed using URIs, typically as URLs.

In computing, Open Data Protocol (OData) is an open protocol that allows the creation and consumption of queryable and interoperable Web service APIs in a standard way. Microsoft initiated OData in 2007. Versions 1.0, 2.0, and 3.0 are released under the Microsoft Open Specification Promise. Version 4.0 was standardized at OASIS, with a release in March 2014. In April 2015 OASIS submitted OData v4 and OData JSON Format v4 to ISO/IEC JTC 1 for approval as an international standard. In December 2016, ISO/IEC published OData 4.0 Core as ISO/IEC 20802-1:2016 and the OData JSON Format as ISO/IEC 20802-2:2016.

Data Format Description Language is a modeling language for describing general text and binary data in a standard way. It was published as an Open Grid Forum Recommendation in February 2021, and in April 2024 was published as an ISO standard.

An Extensible Resource Identifier (XRI) is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers (URI) and Internationalized Resource Identifiers (IRI), developed by the XRI Technical Committee at OASIS. The goal of XRI was a standard syntax and discovery format for abstract, structured identifiers that are domain-, location-, application-, and transport-independent, so they can be shared across any number of domains, directories, and interaction protocols.

gSOAP is a C and C++ software development toolkit for SOAP/XML web services and generic XML data bindings. Given a set of C/C++ type declarations, the compiler-based gSOAP tools generate serialization routines in source code for efficient XML serialization of the specified C and C++ data structures. Serialization takes zero-copy overhead.

The European Legislation Identifier (ELI) ontology is a vocabulary for representing metadata about national and European Union (EU) legislation. It is designed to provide a standardized way to identify and describe the context and content of national or EU legislation, including its purpose, scope, relationships with other legislations and legal basis. This will guarantee easier identification, access, exchange and reuse of legislation for public authorities, professional users, academics and citizens. ELI paves the way for knowledge graphs, based on semantic web standards, of legal gazettes and official journals.

The Abbreviated Language for Authorization (ALFA) is a domain-specific language used in the formulation of access-control policies.

The SAML metadata standard belongs to the family of XML-based standards known as the Security Assertion Markup Language (SAML) published by OASIS in 2005. A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to establish a baseline of trust and interoperability.

<span class="mw-page-title-main">Thing Description</span>

The Thing Description (TD) (or W3C WoT Thing Description (TD)) is a royalty-free, open information model with a JSON based representation format for the Internet of Things (IoT). A TD provides a unified way to describe the capabilities of an IoT device or service with its offered data model and functions, protocol usage, and further metadata. Using Thing Descriptions help reduce the complexity of integrating IoT devices and their capabilities into IoT applications.

References

  1. Best, Karl (16 April 2001). "OASIS TC call for participation: XACML". OASIS. Retrieved 31 October 2016.
  2. "pure-xacml". www.axiomatics.com. Retrieved 2016-04-27.
  3. 1 2 3 Ferraiolo, David; Chandramouli, Ramaswamy; Hu, Vincent; Kuhn, Rick (October 2016). A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications (Report). National Institute of Standards and Technology. doi: 10.6028/NIST.SP.800-178 .
  4. See for example De la Rosa Algarín, Alberto; Ziminski, Timoteus B.; Demurjian 1, Steven A.; Kuykendall, Robert; Rivera Sánchez, Yaira K. (2013). Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework. Proceedings of the 9th International Conference on Web Information Systems and Technologies. doi: 10.5220/0004366200160025 .{{cite conference}}: CS1 maint: numeric names: authors list (link)
  5. eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard, eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.