Download your copy of our State of Authorization: Playbook Edition Get it now »

eXtensible Access Control Markup Language (XACML)

eXtensible Access Control Markup Language (XACML) is a standard developed by leading security experts as part of the organization for the advancement of structured information standards (OASIS). It is currently in its third generation.

XACML remains the only standardized way to dynamically enforce authorization by externalizing access controls from applications and databases and using business policies – in what is also referred to as attribute-based access control (ABAC) to govern who can access which data under multiple, fine-grained conditions. At its core, it consists of a standard language, response/request protocol, and reference architecture.

In the XACML 3.0 Oasis Standard, it is stated that; “If implemented throughout an enterprise, a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems. Managing security policy may include some or all of the following steps: writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving, and enforcing policy.”

The advantages of using XACML

Using XACML offers many advantages to enterprises and large organizations that require a standardized way to securely share assets while meeting and proving compliance.

  • Centrally managed system: With one central repository for all XACML policies, XACML standardizes authorization to deliver unrivaled control of assets across the enterprise at every point of access, whether it’s via an application programming interface (API), microservices, app, portal, web service or database.
  • Avoid vendor lock-in: Using a standards-based language as opposed to a proprietary system enables more flexibility among developers and avoids vendor lock-in.
  • Security you can trust: The XACML policy standard has been developed collaboratively and implemented by leading IT security experts at some of the world’s leading companies. It meets the highest security standards.
  • Simplified policy creation: To simplify policy writing in XACML JSON scripts are used. The lightweight data-interchange format is easy for humans to read and write and easy for machines to parse and generate.

The XACML architecture

The XACML architecture is made up of five key software modules that work in unison to enforce standardized run-time authorization at any and every access request point.

Policy administration point (PAP)

The policy administration point is the point of policy authorship. Once a user has written or edited/updated a policy in plain language, the PAP automatically converts it to machine-readable, standards-based XAML code for administration and enforcement by the system.

Policy information point (PIP)

The policy information point is a powerful system that calls out to the different attribute directories and third-party services at run-time for the policy decision point to establish if the request meets a policy’s specifications. These so-called attribute values include the resource, source, environment, etc.

Policy Retrieval Point (PRP)

The policy retrieval point is the storage point of the XACML access authorization policies. This is most commonly a filesystem or database.

Policy decision point (PDP)

The policy decision point evaluates the request, based on what’s written in a policy, and makes a decision – typically Permit or Deny access. The XACML PDP then informs the PEP of the decision.

Policy enforcement point (PEP)

The policy enforcement point, both receives the access request and enforces the decision of permit or deny from the XACML PDP in run-time.

The XACML authorization flow

  • A user makes an access request which is intercepted by the PEP and converted into XACML.
  • The PDP queries the PIP and PRP to decipher whether or not the attribute values and policies are aligned.
  • The PDP then decides to permit or deny access and sends the response to the PEP.
  • The PEP enforces the decision.

XACML policy language structure and syntax

The XACML policy language is made up of several key elements that enable fine-grained authorization to be implemented across different deployment models, i.e., cloud, on-premises, and hosted environments.

  • Rule: A rule is a basic component of a policy. As such it delivers the desired effect of the policy – permit or deny. A rule can contain a target, a condition, advice, or a set of obligations.
  • Policy: A policy consists of one or a set of rules, a rule-confirming algorithm as well as optional obligations and advice. The policy is the foundation from which the XACML PDP can perform.
  • Policy set: A policy set is a group of policies, which can be located in various locations. Policy sets include policies, a policy-combining algorithm, optional obligations, and advice.
  • Target: A target enables the XACML PDP to verify which policy or rules apply to a certain request. Target statements act as definers for relevant attributes for the rule, policy, or policy set.
  • Conditions: Conditions are part of a rule and can compare attribute values, to evaluate if an attribute is “True”, “False” or “Indeterminate”. In the XACML example below, you can see the role of a condition when checking if a subject’s username is the same as a resource’s owner attribute.

Axiomatics and XACML

Axiomatics has leveraged XACML to create Abbreviated Language for Authorization (ALFA), which provides a user-friendly and expressive language for defining attribute-based access control policies. By abstracting away the complexities of raw XACML, ALFA enables policy authors to create and maintain authorization policies more efficiently. Its integration with XACML ensures compatibility with existing systems while offering a more intuitive authoring experience.

Axiomatics’ Orchestrated Authorization solution enables enterprises to create a flexible, scalable policy-driven authorization deployment that includes ALFA.


Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo