What is an XACML Policy Reference?

Mark Berg   ·   Friday, August 12th, 2016

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute­Based Access Control (ABAC). XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form and we won’t be getting into every aspect of policy authoring in this article. For a brief overview of what a policy is check this Axiomatics article out.

I’m often asked “Why would I use a policy reference when writing a policy?” There are several reasons why but if I answer them all here I’ll quickly run out of topics for future “Question of the Week” articles. For now let’s start with explaining what a policy reference is.

The definition of a XACML Policy Reference can be found in the XACML core specification here and here.

In layman’s terms a policy reference is a pointer to another policy set or policy object. Some of the reasons to use a policy reference are:

• Provide structure and organization>
• Make a large policy easier to work with
• Re­use common components at various points within a policy package
• Enable collaborative policy authoring

Example

Below is an example of policy references generated by the Axiomatics Policy Editor. In this screenshot, we have a parent policy set (Main) which contains 2 policy sets (Internal

Applications and External Applications). The Internal Applications policy set is expanded and contains 3 policy references.

Policy references can point to policies and policy sets in the same tree or in a separate tree/file.

If we take a look at the Human Resources policy set, we will find a complete policy structure of all the policies and rules needed to support the applications for Human Resources.

XACML XML Representation

The raw xml of the main.xml policy above contains a P olicySetIdReference to a policy with an ID of: B11d213a­2514­46d6­ad6b­295ff8532574. This is a reference to the Human Resources Policy set.

<xacml3:PolicySetPolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algor ithm:first­applicable" PolicySetId="https://axiomatics.com/automatic­unique­id/5cc13395­20bd­ 48b3­a56b­68b1c26c3e54" Version="1.0" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-­17">
     <xacml3:Description>Main</xacml3:Description>
     <xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC­xpath­19991116</xacml3 :XPathVersion>
     </xacml3:PolicySetDefaults> 
     <xacml3:Target/>
  <xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algor ithm:first­applicable" Version="1" PolicySetId="19c84585­0dc5­410c­98c8­60c9c38b539e">
     <xacml3:Description>Internal Applications</xacml3:Description> 
     <xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC­xpath­19991116</xacml3 :XPathVersion>
     </xacml3:PolicySetDefaults>
     <xacml3:Target/>
<xacml3:PolicySetIdReference>7e54ee6f­8887­4257­90a3­6f86fcf7cecf</xacml3 :PolicySetIdReference>
<xacml3:PolicySetIdReference>b11d213a­2514­46d6­ad6b­295ff8532574</xacml3:PolicySetIdReference>

<xacml3:PolicySetIdReference>719eee46­8f21­4359­ac7f­86ef895984f9</xacml3 :PolicySetIdReference>
     </xacml3:PolicySet>
     <xacml3:PolicySetPolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algorithm:first­applicable" Version="1"PolicySetId="c2db3645­ab01­4669­9c37­b8b966eaa746">
     <xacml3:Description>External Applications</xacml3:Description>
     <xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC­xpath­19991116</xacml3:XPathVersion>
     </xacml3:PolicySetDefaults>
     <xacml3:Target/>
<xacml3:PolicySetIdReference>1c3cc12f­0419­40fc­8340­603dc6f2fe2e</xacml3:PolicySetIdReference>
<xacml3:PolicySetIdReference>caf96db0­2106­4e51­9998­c639ebf47d7d</xacml3:PolicySetIdReference>
<xacml3:PolicySetIdReference>ca6f0f32­a555­4799­9446­80827cfb14e7</xacml3:PolicySetIdReference>
  </xacml3:PolicySet> 
</xacml3:PolicySet>

<xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algor ithm:first­applicable" PolicySetId="b11d213a­2514­46d6­ad6b­295ff8532574" Version="1" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd­17">
  <xacml3:Description>Human Resources Policy set</xacml3:Description> 
  <xacml3:PolicySetDefaults>

The referenced Human Resources policy xml

XACML Representation in ALFA

In the ALFA example below, we have a main policy which contains 2 branches: one about documents and the other about contracts. Each branch references / links to a common policy called checkTime.

/** The main policy */ 
policyset main{
  apply firstApplicable
  policy documents{
     apply firstApplicable /** Reference (link) to common policy */ checkTime rule managersCanViewDocuments{
       permit 
     }
  } 
  policy contracts{
     apply firstApplicable /** Reference (link) to common policy */ checkTime rule tellersCanEditContracts{
       permit 
     }
  }
}
/**A common policy that will be reused across multiple locations */ policy checkTime{
  apply firstApplicable
}

Linking to policies inside the same file / tree

Reference to another policy within the same policy file

Conclusion

XACML policy references are essentially pointers to other policies which are used to:

• Provide structure and organization
• Make a large policy easier to work with
• Reuse common components at various points within a policy package
• Enable collaborative policy authoring

If you’ve ever worked with a large policy and wondered “there must be an easier way!” know you have your answer! Use a policy reference. Not can policy references make managing a large policy easier but they are fun to use. If you haven’t tried using a policy reference it’s time you joined in on the fun and gave them a try.