The eXtensible Access Control Markup Language (XACML) is a standard developed by leading security experts as part of the Organization for the Advancement of Structured Information Standards (OASIS). It is currently in its third generation.
The eXtensible Access Control Markup Language remains the only standardized way to dynamically enforce authorization by externalizing access controls from applications and databases and using business policies – in what is also referred to as Attribute Based Access Control (ABAC) to govern who can access which data under multiple, fine-grained conditions. At its core, it consists of a standard language, response/request protocol, and reference architecture.
In the XACML 3.0 Oasis Standard, it is stated that; “If implemented throughout an enterprise, a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems. Managing security policy may include some or all of the following steps: writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving, and enforcing policy.”Discover 100% Pure XACML
Using XACML offers many advantages to enterprises and large organizations that require a standardized way to securely share assets, while meeting and proving compliance.
With one central repository for all XACML policies, XACML standardizes authorization to deliver unrivaled control of assets across the enterprise at every point of access, whether it’s via an API, microservices, app, portal, webservice or database.
Using a standards-based language as opposed to a proprietary system enables more flexibility among developers and avoids vendor lock-in.
The XACML policy standard has been developed collaboratively and implemented by leading IT security experts at some of the world’s leading companies. It meets the highest security standards.
To simplify policy writing in XACML JSON scripts are used. The lightweight data-interchange format is easy for humans to read and write and easy for machines to parse and generate.
The XACML architecture is made up of five key software modules that work in unison to enforced standardized run-time authorization at any and every access request point.
The Policy Administration Point is the point of policy authorship. Once a user has written or edited/updated a policy in plain language, the PAP automatically converts it to machine-readable, standards-based XAML code for administration and enforcement by the system.
The Policy Information Point is a powerful system that calls out to the different attribute directories and third-party services at run-time in order for the Policy Decision Point to establish if the request meets a policy’s specifications. These so-called attribute values including the resource, source, environment, etc.
The Policy Retrieval Point is the storage point of the XACML access authorization policies. This is most commonly a filesystem or database.
The Policy Decision Point evaluates the request, based on what’s written in a policy, and makes a decision – typically Permit or Deny access. The XACML PDP then informs the PEP of the decision.
The Policy Enforcement Point, both receives the access request and enforces the decision of permit or deny from the XACML PDP in run-time.
The XACML policy language is made up of a number of key elements that enable fine-grained authorization to be implemented across different deployment models, i.e., cloud, on-premises, and hosted environments. Read more about XACML Policy Language Structure and Syntax.
A rule is a basic component of a policy. As such it delivers the desired effect of the policy – permit or deny. A rule can contain a target, a condition, an advice, or a set of obligations.
A policy consists of one or a set of rules, a rule-confirming algorithm as well as optional obligations and an advice. The policy is the foundation from which the XACML PDP can perform.
A policy set is a group of policies, which can be located in various locations. Policy sets include policies, a policy-combining algorithm, optional obligations and an advice.
A target enables the XACML PDP to verify which policy or rules apply for a certain request. Target statements act as definers for relevant attributes for the rule, policy, or policy set.
Conditions are part of a rule and can compare attribute values, to evaluate if an attribute is “True”, “False” or “Indeterminate”. In the XACML example below, you can see the role of a condition when checking if a subject’s username is the same as a resource’s owner attribute.
See how Axiomatics enables you to balance the demands of your security team and your business users with the authorization solution that our customers love.
In the meantime, check out this example demo...Book a full demo