XACML

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
XACML
ParadigmDeclarative programming
DeveloperOrganization for the Advancement of Structured Information Standards (OASIS)
First appearedApril 16, 2001; 19 years ago (2001-04-16)[1]
LicenseOASIS
Filename extensions.xml , .alfa
Websitewww.oasis-open.org
Major implementations
Axiomatics, AuthzForce
Dialects
ALFA (XACML)
Influenced by
XML, SAML
Influenced
ALFA (XACML)

XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language,[2] an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.

As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between access control implementations by multiple vendors. XACML is primarily an attribute-based access control system (ABAC), also known as a policy-based access control (PBAC) system, where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.

The XACML model supports and encourages the separation of enforcement (PEP) from decision making (PDP) from management / definition (PAP) of the authorization. When access decisions are hard-coded within applications (or based on local machine userids and access control lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes and it is hard to achieve visibility or audits of the authorization in place. When the client is decoupled from the access decision, authorization policies can be updated on the fly and affect all clients immediately.

History[edit]

Version 1.0 was ratified by OASIS standards organization in 2003.

Version 2.0 was ratified by OASIS standards organization on February 1, 2005.

Version 3.0 was ratified by OASIS in January 2013.[3]

Architecture[edit]

Terminology[edit]

Non-normative terminology (following RFC 2904, except for PAP)

Abbr. Term Description
PAP Policy Administration Point Point which manages access authorization policies
PDP Policy Decision Point Point which evaluates access requests against authorization policies before issuing access decisions
PEP Policy Enforcement Point Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision
(i.e. access to the resource is approved or rejected), and acts on the received decision
PIP Policy Information Point The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)
PRP Policy Retrieval Point Point where the XACML access authorization policies are stored, typically a database or the filesystem.

Flow[edit]

This image shows the XACML architecture and a sample authorization flow.
  1. A user sends a request which is intercepted by the Policy Enforcement Point (PEP)
  2. The PEP converts the request into a XACML authorization request
  3. The PEP forwards the authorization request to the Policy Decision Point (PDP)
  4. The PDP evaluates the authorization request against the policies it is configured with. The policies are acquired via the Policy Retrieval Point (PRP) and managed by the Policy Administration Point (PAP). If needed it also retrieves attribute values from underlying Policy Information Points (PIP).
  5. The PDP reaches a decision (Permit / Deny / NotApplicable / Indeterminate) and returns it to the PEP

Policy elements[edit]

Structural elements[edit]

XACML is structured into 3 levels of elements:

  • PolicySet,
  • Policy,
  • Rule.

A policy set can contain any number of policy elements and policy set elements. A policy can contain any number of rule elements.[4]

Attributes and categories[edit]

Policies, policy sets, rules and requests all use subjects, resources, environments, and actions.

  • A subject element is the entity requesting access. A subject has one or more attributes.
  • The resource element is a data, service or system component. A resource has one or more attributes.
  • An action element defines the type of access requested on the resource. Actions have one or more attributes.
  • An environment element can optionally provide additional information.

Targets[edit]

XACML provides a target,[5] which is basically a set of simplified conditions for the subject, resource, and action that must be met for a policy set, policy, or rule to apply to a given request. Once a policy or policy set is found to apply to a given request, its rules are evaluated to determine the access decision and response.

In addition to being a way to check applicability, target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. When a request to access that service arrives, the PDP will know where to look for policies that might apply to this request because the policies are indexed based on their target constraints. Note that a target may also specify that it applies to any request.

Policy set, policy and rule can all contain target elements.

Conditions[edit]

Conditions only exist in rules. Conditions are essentially an advanced form of a target which can use a broader range of functions and more importantly can be used to compare two or more attributes together, e.g. subject-id==doctor-id. With conditions, it is possible to implement segregation of duty checks or relationship-based access control.

Obligations & Advice[edit]

Within XACML, a concept called obligations can be used. An obligation is a directive from the policy decision point (PDP) to the policy enforcement point (PEP) on what must be carried out before or after an access is approved. If the PEP is unable to comply with the directive, the approved access may or must not be realized. The augmentation of obligations eliminates a gap between formal requirements and policy enforcement. An example of an obligation could look like this:

Access control rule:

         Allow access to resource MedicalJournal with attribute patientID=x 
               if Subject match DesignatedDoctorOfPatient
               and action is read
         with obligation
              on Permit: doLog_Inform(patientID, Subject, time)
              on Deny  : doLog_UnauthorizedLogin(patientID, Subject, time)

The XACML's obligation can be an effective way to meet formal requirements (non-repudiation for example) that can be hard to implement as access control rules. Furthermore, any formal requirements will be part of the access control policy as obligations and not as separate functions, which makes policies consistent and centralization of the IT environment easier to achieve.

Obligations can be used for "break-the-glass" scenarios or trust elevation ("you cannot transfer $1,000 without two-factor authentication - here is the link to the 2FA page").

In addition to obligations, XACML supports advice which are identical to obligations with the difference that a PEP is not obligated to enforce the advice (hence its name).

Combining algorithms[edit]

What happens in XACML if there are two rules (or policies) that contradict each other? Imagine for instance a first rule that would say managers can view documents and a second rule that would say no one can work before 9am. What if the request is about Alice trying to view a document at 8am? Which rule wins? This is what combining algorithms tell us. They help resolve conflicts.

XACML defines a number of combining algorithms[6] that can be identified by a RuleCombiningAlgId or PolicyCombiningAlgId attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of policies.

The truth table located here will help you understand how combining algorithms process and combine policies.

Functions[edit]

XACML defines a long list of functions (close to 300) to manipulate and compare attributes to other attributes and values:

  • Equality, inequality and other matching functions
  • Arithmetic functions
  • String functions
  • Logical functions (and, or, not)
  • Set and bag functions
  • Higher order functions
  • Regular expression functions
  • XPath functions

The functions and their identifiers are fully described in the standard. Functions are type-specific i.e. there is a function for string equality and a different one for integer equality.

Equality, inequality and other matching functions[edit]

Arithmetic functions[edit]

Refer to the standard for a formal definition of these function.

  • add (double and integer)
  • subtract (double and integer)
  • multiply (double and integer)
  • divide (double and integer)
  • mod (double and integer)
  • abs (double and integer)
  • round
  • floor

String functions[edit]

Refer to the standard for a formal definition of these function.

  • string-concatenate
  • string-starts-with
  • string-ends-with
  • string-contains
  • string-substring

Logical functions (and, or, not)[edit]

Set and bag functions[edit]

Regular expression functions[edit]

XPath functions[edit]

Higher order functions[edit]

The list of higher order functions is as listed below. For a formal definition, refer to the XACML standard.

XACML 3.0[edit]

Schema[edit]

http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd

Data types[edit]

New in XACML 3.0[edit]

New profiles[edit]

XACML 3.0 introduces administrative delegation, the JSON Profile of XACML (request/response), the REST Profile of XACML, the Multiple Decision Profile of XACML, and many more.

Delegation[edit]

The implementation of delegation is new in XACML 3.0. The delegation mechanism is used to support decentralized administration of access policies. It allows an authority (delegator) to delegate all or parts of its own authority or someone else's authority to another user (delegate) without any need to involve modification of the root policy.

This is because, in this delegation model, the delegation rights are separated from the access rights. These are instead referred to as administrative control policies.[7] Access control and administrative policies work together as in the following scenario:

A partnership of companies' many services are protected by an access control system. The system implements the following central rules to protect its resources and to allow delegation:

Access control rules:

             Allow access
                   to resource with attribute WebService 
                   if subject is Employee and action is read or write. 
             

Administration control rules:

             Allow delegation of access control rule #1
                     to subjects with attribute Consultant.
             Conditions: 
                        delegation must expire within 6 months,
                        resource must not have attribute StrictlyInternal.
              

(Attributes can be fetched from an external source, e.g. a LDAP catalog.)

When a consultant enters the corporation, a delegation can be issued locally by the consultant's supervisor, authorizing the consultant access to systems directly.

The delegator (the supervisor in this scenario) may only have the right to delegate a limited set of access rights to consultants.

Other features[edit]

Other new features of XACML 3.0 are listed at http://www.webfarmr.eu/2010/07/enhancements-and-new-features-in-xacml-3-axiomatics/

The XACML TC is also publishing a list of changes here: http://wiki.oasis-open.org/xacml/DifferencesBetweenXACML2.0AndXACML3.0

Sample policies[edit]

Date and time-based authorization in XACML[edit]

This rule implements the use-it-lose-it access control paradigm. If a user does not log in for 30 days, then they lose access.

In pseudo-code: deny if currentDateTime > lastLogin + 30 days

<xacml3:Rule RuleId="f6637b3f-3690-4cce-989c-2ce9c053d6fa" Effect="Deny">
	<xacml3:Description>Use it or lose it: this policy denies access if lastLogin is more than 30 days away from today's date</xacml3:Description>
	<xacml3:Target/>
	<xacml3:Condition >
		<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
			<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than"/>
			<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration">
				<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-one-and-only">
					<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="com.acme.user.lastLogin" DataType="http://www.w3.org/2001/XMLSchema#dateTime" MustBePresent="false"/>
				</xacml3:Apply>
				<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dayTimeDuration">P30D</xacml3:AttributeValue>
			</xacml3:Apply>
			<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"  AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime" DataType="http://www.w3.org/2001/XMLSchema#dateTime" MustBePresent="false"/>
		</xacml3:Apply>
	</xacml3:Condition>
</xacml3:Rule>

Time-based authorization in XACML[edit]

This rule grants access if the current time is greater than 9am and less than 5pm.

<xacml3:Rule RuleId="c01d7519-be21-4985-88d8-10941f44590a" Effect="Permit">
	<xacml3:Description>Allow if time between 9 and 5</xacml3:Description>
	<xacml3:Target>
		<xacml3:AnyOf>
			<xacml3:AllOf>
				<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than">
					<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</xacml3:AttributeValue>
					<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#time"/>
				</xacml3:Match>
			</xacml3:AllOf>
		</xacml3:AnyOf>
		<xacml3:AnyOf>
			<xacml3:AllOf>
				<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than">
					<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</xacml3:AttributeValue>
					<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#time"/>
				</xacml3:Match>
			</xacml3:AllOf>
		</xacml3:AnyOf>
	</xacml3:Target>
</xacml3:Rule>

Sample requests and responses[edit]

XACML 3.0 request[edit]

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="actionId" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

XACML 3.0 responses[edit]

XACML 3.0 sample response[edit]

<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <xacml-ctx:Result>
    <xacml-ctx:Decision>NotApplicable</xacml-ctx:Decision>
    <xacml-ctx:Status>
      <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </xacml-ctx:Status>
  </xacml-ctx:Result>
</xacml-ctx:Response>

XACML 3.0 sample response with obligation[edit]

The following contains an Obligation block. Obligations are statements that can be returned along with a decision to enrich the decision flow. In this example, the PEP must log that access was granted.

<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <xacml-ctx:Result>
    <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
    <xacml-ctx:Status>
      <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </xacml-ctx:Status>
    <xacml-ctx:Obligations>
      <xacml-ctx:Obligation ObligationId="logAccess">
      </xacml-ctx:Obligation>
    </xacml-ctx:Obligations>
    <xacml-ctx:PolicyIdentifierList>
      <xacml-ctx:PolicyIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/18a9eae9-c92b-4087-b2ac-c5a33d7ff477</xacml-ctx:PolicyIdReference>
    </xacml-ctx:PolicyIdentifierList>
  </xacml-ctx:Result>
</xacml-ctx:Response>

The Multiple Decision Profile of XACML 3.0[edit]

By default a PDP processes a single request at a time e.g. "Can Alice view item #1?". The PDP then replies with a single decision. At times, though, it is necessary to send multiple requests in one go e.g. "Can Alice view / edit / delete items #1, #2, #3?". The Multiple Decision Profile of XACML allows for this use case. The PDP will typically do the product of all combinations i.e. in the example aforementioned there will be 1 x 3 x 3 = 9 decisions returned in a single response.

Sample JSON Request for the Multiple Decision Profile[edit]

The way to enable the MDP is to send an array of objects for any of the categories rather than an array of one object (or simply an object). For instance, AccessSubject is an object but Resource is an array of objects. The latter will trigger the MDP process in PDPs that support the profile. Note as well the use of the IncludeInResult attribute which tells the PDP to return the XACML attribute and its value in the respone so that decisions can be correlated to the relevant attribute values.

{
  "Request": {
    "ReturnPolicyIdList": true,
    "AccessSubject": {
      "Attribute": [{
        "AttributeId": "com.acme.user.username",
        "Value": "Alice"
      }]
    },
    "Resource": [{
      "Attribute": [{
        "AttributeId": "com.acme.objectType",
        "Value": "record"
      }, {
        "AttributeId": "com.acme.record.recordId",
        "Value": "123",
        "IncludeInResult": true
      }]
    },{
      "Attribute": [{
        "AttributeId": "com.acme.objectType",
        "Value": "record"
      }, {
        "AttributeId": "com.acme.record.recordId",
        "Value": "124",
        "IncludeInResult": true
      }]
    },{
      "Attribute": [{
        "AttributeId": "com.acme.objectType",
        "Value": "record"
      }, {
        "AttributeId": "com.acme.record.recordId",
        "Value": "125",
        "IncludeInResult": true
      }]
    }],
    "Action": [{
      "Attribute": [{
        "AttributeId": "com.acme.action",
        "Value": "view",
        "IncludeInResult": true
      }]
    },{
      "Attribute": [{
        "AttributeId": "com.acme.action",
        "Value": "edit",
        "IncludeInResult": true
      }]
    },{
      "Attribute": [{
        "AttributeId": "com.acme.action",
        "Value": "delete",
        "IncludeInResult": true
      }]
    }]
  }
}

Sample JSON Response for the Multiple Decision Profile[edit]

{
  "Response": [
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "AssociatedAdvice": {
        "Id": "com.acme.message",
        "AttributeAssignment": [
          {
            "AttributeId": "com.acme.messageContent",
            "Value": "Access denied - insufficient clearance.",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          },
          {
            "AttributeId": "com.acme.user.clearance",
            "Value": "1",
            "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          },
          {
            "AttributeId": "com.acme.record.classification",
            "Value": "3",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          }
        ]
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "125",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "view",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": [
          {
            "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
            "Version": "1"
          },
          {
            "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
            "Version": "1"
          }
        ],
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "AssociatedAdvice": {
        "Id": "com.acme.message",
        "AttributeAssignment": [
          {
            "AttributeId": "com.acme.messageContent",
            "Value": "Access denied - insufficient clearance.",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          },
          {
            "AttributeId": "com.acme.user.clearance",
            "Value": "1",
            "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          },
          {
            "AttributeId": "com.acme.record.classification",
            "Value": "2",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          }
        ]
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "124",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "view",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": [
          {
            "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
            "Version": "1"
          },
          {
            "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
            "Version": "1"
          }
        ],
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "123",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "edit",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": {
          "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
          "Version": "1"
        },
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "123",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "delete",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": {
          "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
          "Version": "1"
        },
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "AssociatedAdvice": {
        "Id": "com.acme.message",
        "AttributeAssignment": [
          {
            "AttributeId": "com.acme.messageContent",
            "Value": "Access denied - insufficient clearance.",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          },
          {
            "AttributeId": "com.acme.user.clearance",
            "Value": "1",
            "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          },
          {
            "AttributeId": "com.acme.record.classification",
            "Value": "3",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          }
        ]
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "125",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "delete",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": [
          {
            "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
            "Version": "1"
          },
          {
            "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
            "Version": "1"
          }
        ],
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "AssociatedAdvice": {
        "Id": "com.acme.message",
        "AttributeAssignment": [
          {
            "AttributeId": "com.acme.messageContent",
            "Value": "Access denied - insufficient clearance.",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          },
          {
            "AttributeId": "com.acme.user.clearance",
            "Value": "1",
            "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          },
          {
            "AttributeId": "com.acme.record.classification",
            "Value": "3",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          }
        ]
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "125",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "edit",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": [
          {
            "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
            "Version": "1"
          },
          {
            "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
            "Version": "1"
          }
        ],
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "AssociatedAdvice": {
        "Id": "com.acme.message",
        "AttributeAssignment": [
          {
            "AttributeId": "com.acme.messageContent",
            "Value": "Access denied - insufficient clearance.",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          },
          {
            "AttributeId": "com.acme.user.clearance",
            "Value": "1",
            "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          },
          {
            "AttributeId": "com.acme.record.classification",
            "Value": "2",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          }
        ]
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "124",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "delete",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": [
          {
            "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
            "Version": "1"
          },
          {
            "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
            "Version": "1"
          }
        ],
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "123",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "view",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": {
          "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
          "Version": "1"
        },
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    },
    {
      "Decision": "Deny",
      "Status": {
        "StatusCode": {
          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      },
      "AssociatedAdvice": {
        "Id": "com.acme.message",
        "AttributeAssignment": [
          {
            "AttributeId": "com.acme.messageContent",
            "Value": "Access denied - insufficient clearance.",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          },
          {
            "AttributeId": "com.acme.user.clearance",
            "Value": "1",
            "Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          },
          {
            "AttributeId": "com.acme.record.classification",
            "Value": "2",
            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
            "DataType": "http://www.w3.org/2001/XMLSchema#integer"
          }
        ]
      },
      "Category": [
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
          "Attribute": {
            "AttributeId": "com.acme.record.recordId",
            "Value": "124",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        },
        {
          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
          "Attribute": {
            "AttributeId": "com.acme.action",
            "Value": "edit",
            "DataType": "http://www.w3.org/2001/XMLSchema#string"
          }
        }
      ],
      "PolicyIdentifierList": {
        "PolicyIdReference": [
          {
            "Id": "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
            "Version": "1"
          },
          {
            "Id": "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
            "Version": "1"
          }
        ],
        "PolicySetIdReference": [
          {
            "Id": "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
            "Version": "1"
          },
          {
            "Id": "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
            "Version": "1.0"
          }
        ]
      }
    }
  ]
}

XACML implementations[edit]

Name XACML version Technology License Profiles supported
AuthzForce (OW2) / (GitHub) XACML 3.0 Java Open Source Core, RBAC Profile, Multiple Decision Profile, JSON Profile, REST Profile, Additional Combining Algorithms Profile
Axiomatics Policy Server XACML 3.0 Java, .NET Commercial Core, Multiple Decision Profile, JSON Profile of XACML, Hierarchical Profile of XACML, RBAC profile of XACML, DLP/NAC profile of XACML, Export Control profile of XACML, REST Profile of XACML, ...
Balana XACML 3.0 Java Open Source Core
NextLabs Control Center and CloudAz XACML 3.0 Java, .Net, JavaScript Commercial Core, Multi Decision Profile, JSON Profile, REST Profile, Export Control and Intellectual Property Control Profile of XACML
OpenAZ (Apache Incubator, previously AT&T XACML) XACML 3.0 Java Apache 2 Core, Multiple Decision Profile, JSON Profile of XACML, REST Profile of XACML; retired on August 16, 2016
Oracle Entitlements Server XACML 3.0 Java Commercial Most
Security Policy Tool XACML 2.0 & 3.0 Java Commercial
SunXACML XACML 2.0 Java Open Source Core
ViewDS Access Sentinel XACML 3.0 x-platform C Commercial Core, Multiple Decision Profile, REST Profile, REST/JSON Profile, Hierarchical Resource Profile (partial), SAML2 Profile (partial), Core RBAC Profile, Hierarchical RBAC Profile, DLP/NAC Profile (partial), MAP Authorization Profile, IP Control Profile (partial), EC-US Profile, Privacy Profile

Developer orientation[edit]

In 2013 and 2014, the XACML Technical Committee focused on designing new profiles to facilitate developer integration. These include:

  • The REST profile of XACML written by Remon Sinnema of EMC
  • The JSON profile of XACML written by David Brossard of Axiomatics
  • The ALFA profile of XACML written by Pablo Giambiagi, Srijith Nair, and David Brossard of Axiomatics

All three profiles were showcased at the Cloud Identity Summit 2014 in Monterey, California. Using these profiles, integrating fine-grained authorization into applications becomes much easier.

The ALFA Profile of XACML[edit]

ALFA stands for Abbreviated Language for Authorization. It is a lightweight syntax used to implement policy-based access control policies. For examples refer to the main article.

The JSON Profile of XACML[edit]

The JSON profile of XACML simplifies the integration between the PEP and the PDP.

Sample JSON request[edit]

 {
    "Request": {
        "AccessSubject": {
            "Attribute": [
                {
                    "AttributeId": "com.acme.user.employeeId",
                    "Value": "Alice"
                }
            ]
        },
        "Resource": {
            "Attribute": [
                {
                    "AttributeId": "com.acme.record.recordId",
                    "Value": "123"
                },
                {
                    "AttributeId": "com.acme.object.objectType",
                    "Value": "record"
                }
            ]
        },
        "Action": {
            "Attribute": [
                {
                    "AttributeId": "com.acme.action.actionId",
                    "Value": "view"
                }
            ]
        },
        "Environment": {
            "Attribute": []
        }
    }
 }

Sample JSON response[edit]

 {
  "Response" : {
    "Decision" : "Permit",
    "Status" : {
      "StatusCode" : {
        "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
      }
    }
  }
 }

XACML and other standards[edit]

XACML and Open Policy Agent[edit]

Open Policy Agent (OPA) is similar to XACML in that it provides a policy decision point, externalized authorization, and a policy language (REGO). It specializes in infrastructure authorization (e.g. for Kubernetes, Istio...) rather than general-purpose, API-centric, or data-centric which XACML addresses.

XACML and SAML[edit]

Example of cross-enterprise federation where two enterprises federate using SAML and two Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted to the application functionality (functional access control) and the data behind it (data access control).
Example of cross-enterprise federation where two enterprises federate using SAML and two Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted to the application functionality (functional access control) and the data behind it (data access control).

SAML is an identity SSO and federation standard used for authentication. SAML is used as a common identity token format between different applications. SAML and XACML are both defined by OASIS. SAML and XACML were designed to interoperate where SAML is used to carry identity information / virtual identities and XACML is used to drive the access control logic through policies.

XACML and OAuth[edit]

OAuth 2.0 is considered to be an authorization standard. It differs from XACML though in its origin, its purpose, and its applications. OAuth is about:

  • delegated access control: I, the user, delegate another user or service access to the resource I own. For instance via OAuth, I grant Twitter (the service) the ability to post on my Facebook wall (the resource).
  • handling the password anti-pattern.[8] Whenever you want to integrate 2 services together, in a traditional, legacy model you have to provide service B with your user credentials on service A so that service B can pretend to be you with Service A. This has many risks of course. Using OAuth eliminates the issues with these patterns and lets the user control what service B can do on behalf of the user with service A.
  • HTTP-based services / resources
  • managing owner (user) approval

XACML does not handle user approval or delegated access or password management. XACML simply provides:

  • An access control architecture with the notion of a Policy Decision Point (PDP) as previously discussed and a Policy Enforcement Point (PEP).
  • a policy language with which to express a wide range of access control policies including policies that can use consents handled / defined via OAuth.

XACML and OAuth can be combined together to deliver a more comprehensive approach to authorization.

See also[edit]

References[edit]

  1. ^ Best, Karl (16 April 2001). "OASIS TC call for participation: XACML". OASIS. Retrieved 31 October 2016.
  2. ^ "pure-xacml". www.axiomatics.com. Retrieved 2016-04-27.
  3. ^ eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard, eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard.
  4. ^ http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf
  5. ^ http://www.oasis-open.org/committees/xacml/
  6. ^ "Understanding XACML combining algorithms". www.axiomatics.com. Retrieved 2016-04-27.
  7. ^ XACML v3.0 Administrative Policy Version 1.0
  8. ^ "OAuth: How It Works". Ping Identity. Retrieved 2016-05-26.

External links[edit]