100% pure XACML
Solutions from Axiomatics are based on the eXtensible Access Control Markup Language (XACML) OASIS standard. XACML is the only model that offers a standardized way to achieve effective authorization. Authorization decisions determine what a given user or process is allowed to do in a specific context.
Three areas standardized
XACML standardizes three essential aspects of the authorization process:
- XACML policy language – used to express access control rules and conditions. Many rules can be combined into one policy. Many policies and policy sets can be combined into larger policy sets. Flexible combination algorithms determine how rules are joined to capture the exact meaning of corporate policies similar to how the grammar of a natural language allows us to express precise directives.
- XACML request/response protocol – used to query a decisioning engine that evaluates real-world access requests against existing XACML policies. The result, either Permit or Deny, is returned as an XACML response.
- XACML reference architecture – provides a standard for the deployment of necessary software modules to achieve efficient enforcement of XACML policies. At the core, a Policy Decision Point (PDP) evaluates policies against access requests provided by Policy Enforcement Points (PEP). The PDP or PEP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or the information asset to which access is requested. Policies are maintained via a Policy Administration Point (PAP).
What is XACML?
Below are some XACML samples. Click the slider to view the details.
Advantages achieved using XACML
A standardized approach to authorization:
In the past, authorization rules were embedded in the programming code of individual information systems. The definition of access control was therefore done not by business managers but by the technical staff responsible for software configurations or programming. XACML however, offers a standardized approach that is used consistently across all applications. The focus is on corporate policies rather than the technicalities of varying software environments.
An externalized approach to authorization:
The Policy Decision Point (PDP) offers authorization as a service in the infrastructure. Authorization algorithms can be removed from the application logic of individual information systems, which will then query the PDP via their own Policy Enforcement Points (PEP).
An attribute and policy based approach to authorization:
XACML policies introduce abstract logic to replace previous static assignments of user permissions. Instead of an assignment - "Bob can access document X" - a rule may state "any user belonging to company X with security clearance equal to or higher than the security classification of a document should be granted access to that document". To determine whether Bob should be granted access to document X, his security clearance as well as the document classification needs to be gathered. These descriptive pieces of information are called attributes.
X for eXtensible - using XACML profiles
The X in XACML stands for eXtensible and one way to extend XACML based authorization is to use XACML profiles. A profile can extend the functionality of a policy server in a number of ways. This can be as simple as the addition of a classification or terminology from an existing standardized domain, it can also include more advanced features, such as new data types or user defined functions. Axiomatics products conform with all XACML 2.0 and XACML 3.0 profiles. Below you can find a sample of profiles and related objectives:
- Core and hierarchical Role Based Access Control (RBAC) profile of XACML v2.0. This profile simplifies alignment with concepts of RBAC. The profile meets the requirements for â€œcoreâ€ and â€œhierarchicalâ€ RBAC as specified in the ANSI-RBAC standard. For details, see the XACML Specification Document for RBAC profile.
- Hierarchical resource profile of XACML v2.0
- Multiple resource profile of XACML v2.0
- SAML 2.0 profile of XACML v2.0 (see errata below for corrected version of spec and schemas)
- XML Digital Signature profile of XACML v2.0
The standard itself is maintained by OASIS and published on the OASIS eXtensible Access Control Markup Language (XACML) TC web site.