XACML

The standard, published by OASIS, defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.

Each Rule comprises a series of conditions which decide whether a given request is approved or not.

[citation needed] Version 2.0 was ratified by OASIS standards organization on February 1, 2005.

Conditions are essentially an advanced form of a target which can use a broader range of functions and more importantly can be used to compare two or more attributes together, e.g. subject-id==doctor-id.

With conditions, it is possible to implement segregation of duty checks or relationship-based access control.

The augmentation of obligations eliminates a gap between formal requirements and policy enforcement.

Obligations can be used for "break-the-glass" scenarios or trust elevation ("you cannot transfer $1,000 without two-factor authentication - here is the link to the 2FA page").

XACML defines a number of combining algorithms that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the or elements, respectively.

The rule-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of rules.

Similarly, the policy-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of policies.

The delegation mechanism is used to support decentralized administration of access policies.

The system implements the following central rules to protect its resources and to allow delegation: (Attributes can be fetched from an external source, e.g. a LDAP catalog.)

In pseudo-code: deny if currentDateTime > lastLogin + 30 days This rule grants access if the current time is greater than 9am and less than 5pm.

By default a PDP processes a single request at a time e.g. "Can Alice view item #1?".

At times, though, it is necessary to send multiple requests in one go e.g. "Can Alice view / edit / delete items #1, #2, #3?".

The PDP will typically do the product of all combinations i.e. in the example aforementioned there will be 1 x 3 x 3 = 9 decisions returned in a single response.

In 2013 and 2014, the XACML Technical Committee focused on designing new profiles to facilitate developer integration.

These include: All three profiles were showcased at the Cloud Identity Summit 2014 in Monterey, California.

It is a lightweight syntax used to implement policy-based access control policies.

XACML is almost entirely a policy definition language based on XML and XSLT, defined by an open OASIS specification.

OAuth is about: XACML does not handle user approval or delegated access or password management.

This image shows the XACML architecture and a sample authorization flow.
This image shows the XACML architecture and a sample authorization flow.
Example of cross-enterprise federation where two enterprises federate using SAML and two Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted to the application functionality (functional access control) and the data behind it (data access control).
Example of cross-enterprise federation where two enterprises federate using SAML and two Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted to the application functionality (functional access control) and the data behind it (data access control).