XACML
Encyclopedia
XACML stands for eXtensible Access Control Markup Language. The standard defines a declarative access control
policy language implemented in XML
and a processing model describing how to evaluate authorization requests according to the rules defined in policies.
As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between authorization implementations by multiple vendors. XACML is primarily an Attribute Based Access Control system (ABAC), where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control
(RBAC) can also be implemented in XACML as a specialization of ABAC.
The XACML model supports and encourages the separation of the authorization decision from the point of use. When authorization decisions are baked into client applications (or based on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes. When the client is decoupled from the authorization decision, authorization policies can be updated on the fly and affect all clients immediately.
The latest version 3.0 was ratified by OASIS
standards organization
in August, 2010.
The first committee draft of XACML 3.0 was released April 16, 2009.
The first version of administrative policy profile working draft was publicly released on April 1, 2009.
All 3 elements can contain Target elements. PolicySet elements can contain PolicySet and Policy. Policy can contain Rule.
See http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf for more details.
Policies are defined with a collection of Rules. Both Rules and Requests use Subjects, Resources and Actions.
Access control rule:
Allow access to resource MedicalJournal with attribute patientID=x
if Subject match DesignatedDoctorOfPatient
and action is read
with obligation
on Permit: doLog_Inform(patientID, Subject, time)
on Deny : doLog_UnauthorizedLogin(patientID, Subject, time)
The XACML's obligation can be an effective way to meet formal requirements (non-repudiation for example) that can be hard to implement as access control rules. Furthermore, any formal requirements will be part of the access control policy as obligations and not as separate functions, which makes policies consistent and centralization of the IT environment easier to achieve.
This is because, in this delegation model, the delegation rights are separated from the access rights. These are instead referred to as administrative control policies. Access control and administrative policies work together as in the following scenario:
A partnership of companies' many services are protected by an access control system. The system implements the following central rules to protect its resources and to allow delegation:
Access control rules:
Allow access
to resource with attribute WebService
if subject is Employee and action is read or write.
Administration control rules:
Allow delegation of access control rule #1
to subjects with attribute Consultant.
Conditions:
delegation must expire within 6 months,
resource must not have attribute StrictlyInternal.
(Attributes can be fetched from an external source, e.g. a LDAP catalog.)
When a consultant enters the corporation, a delegation can be issued locally by the consultant's supervisor, granting the consultant access to systems directly.
The delegator (the supervisor in this scenario) may only have the right to delegate a limited set of access rights to consultants.
The XACML TC is also publishing a list of changes here: http://wiki.oasis-open.org/xacml/DifferencesBetweenXACML2.0AndXACML3.0
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
policy language implemented in XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
and a processing model describing how to evaluate authorization requests according to the rules defined in policies.
As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between authorization implementations by multiple vendors. XACML is primarily an Attribute Based Access Control system (ABAC), where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
(RBAC) can also be implemented in XACML as a specialization of ABAC.
The XACML model supports and encourages the separation of the authorization decision from the point of use. When authorization decisions are baked into client applications (or based on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes. When the client is decoupled from the authorization decision, authorization policies can be updated on the fly and affect all clients immediately.
The latest version 3.0 was ratified by OASIS
OASIS (organization)
The Organization for the Advancement of Structured Information Standards is a global consortium that drives the development, convergence and adoption of e-business and web service standards...
standards organization
Standards organization
A standards organization, standards body, standards developing organization , or standards setting organization is any organization whose primary activities are developing, coordinating, promulgating, revising, amending, reissuing, interpreting, or otherwise producing technical standards that are...
in August, 2010.
The first committee draft of XACML 3.0 was released April 16, 2009.
The first version of administrative policy profile working draft was publicly released on April 1, 2009.
Terminology
Non normative terminology (following RFC 2904, except for PAP)| Term | Description |
|---|---|
| PAP | Policy Administration Point - Point which manages policies |
| PDP | Policy Decision Point - Point which evaluates and issues authorization decisions |
| PEP | Policy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision. |
| PIP | Policy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information. |
Policy Elements
XACML is structured into 3 levels of elements:- PolicySet,
- Policy, and
- Rule.
All 3 elements can contain Target elements. PolicySet elements can contain PolicySet and Policy. Policy can contain Rule.
See http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf for more details.
Policies are defined with a collection of Rules. Both Rules and Requests use Subjects, Resources and Actions.
- A Subject element is the entity requesting access. A Subject has one or more Attributes.
- The Resource element is a data, service or system component. A Resource has a single Attribute.
- An Action element defines the type of access requested on the Resource. Actions have one or more Attributes.
- An Environment element can optionally provide additional information.
Obligations
Within XACML, a concept called obligations can be used. An obligation is a directive from the Policy Decision Point (PDP) to the Policy Enforcement Point (PEP) on what must be carried out before or after an access is granted. If the PEP is unable to comply with the directive, the granted access may or must not be realized. The augmentation of obligations eliminates a gap between formal requirements and policy enforcement. An example of an obligation could look like this:Access control rule:
Allow access to resource MedicalJournal with attribute patientID=x
if Subject match DesignatedDoctorOfPatient
and action is read
with obligation
on Permit: doLog_Inform(patientID, Subject, time)
on Deny : doLog_UnauthorizedLogin(patientID, Subject, time)
The XACML's obligation can be an effective way to meet formal requirements (non-repudiation for example) that can be hard to implement as access control rules. Furthermore, any formal requirements will be part of the access control policy as obligations and not as separate functions, which makes policies consistent and centralization of the IT environment easier to achieve.
Delegation
The implementation of delegation is new in XACML 3.0. The delegation mechanism is used to support decentralized administration of access policies. It allows an authority (delegator) to delegate all or parts of its own authority or someone else's authority to another user (delegate) without any need to involve modification of the root policy.This is because, in this delegation model, the delegation rights are separated from the access rights. These are instead referred to as administrative control policies. Access control and administrative policies work together as in the following scenario:
A partnership of companies' many services are protected by an access control system. The system implements the following central rules to protect its resources and to allow delegation:
Access control rules:
Allow access
to resource with attribute WebService
if subject is Employee and action is read or write.
Administration control rules:
Allow delegation of access control rule #1
to subjects with attribute Consultant.
Conditions:
delegation must expire within 6 months,
resource must not have attribute StrictlyInternal.
(Attributes can be fetched from an external source, e.g. a LDAP catalog.)
When a consultant enters the corporation, a delegation can be issued locally by the consultant's supervisor, granting the consultant access to systems directly.
The delegator (the supervisor in this scenario) may only have the right to delegate a limited set of access rights to consultants.
Other features
Other new features of XACML 3.0 are listed at http://www.webfarmr.eu/2010/07/enhancements-and-new-features-in-xacml-3-axiomatics/The XACML TC is also publishing a list of changes here: http://wiki.oasis-open.org/xacml/DifferencesBetweenXACML2.0AndXACML3.0
See also
- Role-based access controlRole-Based Access ControlIn computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
- Mandatory access controlMandatory access controlIn computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
- Discretionary access controlDiscretionary access controlIn computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
- PERMISPERMISPERMIS is a sophisticated policy-based authorisation system that implements an enhanced version of the U.S. National Institute of Standards and Technology standard Role-Based Access Control model...
- GeoXACMLGeoXACMLGeoXACML stands for Geospatial eXtensible Access Control Markup Language. It defines a geo-specific extension to XACML Version 2.0, as it was ratified by OASIS standards organization on 1 February 2005....
- HERAS-AFHERAS-AF- The HERASAF Project :HERASAF is a well established open-source project hosted and supported by the University of Applied Sciences Rapperswil in Switzerland.The project maintains three main targets:...
- TAS3TAS3TAS3 - Trusted Architecture for Securely Shareable Services, with PrivacyTAS3 Architecture is a result of European Commission FP7 project ofthe same name . It is a holistic, yet concrete,...
- Specifies 4-point authorization usng XACML
External links
- Enterprise XACML
- BiTKOO's Keystone XACML 3.0 engine
- eXtensible Access Control Markup Language
- HERAS-AF: An Open Source Project providing an XACML-based Security Framework
- JBoss XACML - Open Source LGPL licensed library
- OASIS XACML committee website
- OASIS declaration of issues with two software patents of IBM
- XACML 2.0 PDP and PAP implemented as Axis2 web services
- XACML authorization for many PAM enabled applications
- SICSACML XACML
- SunXACML
- ZXIDZXIDZXID.org Identity Management toolkit implements standalone SAML 2.0,Liberty ID-WSF 2.0, and XACML 2.0 stacks and aims at implementing all popularfederation, SSO, and ID Web Services protocols. It is a C implementation...
http://zxid.org