eXtensible Access Control Markup Language (XACML)
What is XACML?
The eXtensible Access Control Markup Language (XACML) is a standard developed by leading security experts as part of the Organization for the Advancement of Structured Information Standards (OASIS). It is currently in its third generation.
The eXtensible Access Control Markup Language remains the only standardized way to dynamically enforce authorization by externalizing access controls from applications and databases and using business policies – in what is also referred to as Attribute Based Access Control (ABAC) to govern who can access which data under multiple, fine-grained conditions. At its core, it consists of a standard language, response/request protocol, and reference architecture.
In the XACML 3.0 Oasis Standard, it is stated that; “If implemented throughout an enterprise, a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems. Managing security policy may include some or all of the following steps: writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving, and enforcing policy.”
The advantages of using XACML
Using XACML offers many advantages to enterprises and large organizations that require a standardized way to securely share assets, while meeting and proving compliance.
Centrally managed system
With one central repository for all XACML policies, XACML standardizes authorization to deliver unrivaled control of assets across the enterprise at every point of access, whether it’s via an API, microservices, app, portal, webservice or database.
Avoid vendor lock-in
Using a standards-based language as opposed to a proprietary system enables more flexibility among developers and avoids vendor lock-in.
Security you can trust
The XACML policy standard has been developed collaboratively and implemented by leading IT security experts at some of the world’s leading companies. It meets the highest security standards.
Simplified policy creation
To simplify policy writing in XACML JSON scripts are used. The lightweight data-interchange format is easy for humans to read and write and easy for machines to parse and generate.
The XACML architecture
The XACML architecture is made up of five key software modules that work in unison to enforced standardized run-time authorization at any and every access request point.
Policy Administration Point (PAP)
The Policy Administration Point is the point of policy authorship. Once a user has written or edited/updated a policy in plain language, the PAP automatically converts it to machine-readable, standards-based XAML code for administration and enforcement by the system.
Policy Information Point (PIP)
The Policy Information Point is a powerful system that calls out to the different attribute directories and third-party services at run-time in order for the Policy Decision Point to establish if the request meets a policy’s specifications. These so-called attribute values including the resource, source, environment, etc.
Policy Retrieval Point (PRP)
The Policy Retrieval Point is the storage point of the XACML access authorization policies. This is most commonly a filesystem or database.
Policy Decision Point (PDP)
The Policy Decision Point evaluates the request, based on what’s written in a policy, and makes a decision – typically Permit or Deny access. The XACML PDP then informs the PEP of the decision.
Policy Enforcement Point (PEP)
The Policy Enforcement Point, both receives the access request and enforces the decision of permit or deny from the XACML PDP in run-time.
The XACML authorization flow
- A user makes an access request which is intercepted by the Policy Enforcement Point (PEP) and converted into XACML.
- The Policy Decision Point (PDP) queries the Policy Information Point (PIP) and the Policy Retrieval Point (PRP) to decipher whether or not the attribute values and policies and aligned.
- The Policy Decision Point (PDP) then takes a decision to permit or deny access and sends the response to the Policy Enforcement Point (PEP).
- The Policy Enforcement Point (PEP) enforces the decision.
XACML policy language structure and syntax
The XACML policy language is made up of a number of key elements that enable fine-grained authorization to be implemented across different deployment models, i.e., cloud, on-premises, and hosted environments. Read more about XACML Policy Language Structure and Syntax.
A rule is a basic component of a policy. As such it delivers the desired effect of the policy – permit or deny. A rule can contain a target, a condition, an advice, or a set of obligations.
A policy consists of one or a set of rules, a rule-confirming algorithm as well as optional obligations and an advice. The policy is the foundation from which the XACML PDP can perform.
A policy set is a group of policies, which can be located in various locations. Policy sets include policies, a policy-combining algorithm, optional obligations and an advice.
A target enables the XACML PDP to verify which policy or rules apply for a certain request. Target statements act as definers for relevant attributes for the rule, policy, or policy set.
Conditions are part of a rule and can compare attribute values, to evaluate if an attribute is “True”, “False” or “Indeterminate”. In the XACML example below, you can see the role of a condition when checking if a subject’s username is the same as a resource’s owner attribute.