XACML
| Paradigm | Declarative programming |
|---|---|
| Designed by | Simon Blackwell |
| Developer | Organization for the Advancement of Structured Information Standards (OASIS) |
| First appeared | April 16, 2001 |
| License | https://www.oasis-open.org/resources/open-repositories/licenses |
| Filename extensions | .xml , .alfa |
| Website | https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml |
| Major implementations | |
| SunXACML, Axiomatics | |
| Dialects | |
| ALFA (XACML) | |
| Influenced by | |
| XML, SAML | |
| Influenced | |
| ALFA (XACML) | |
XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between access control implementations by multiple vendors. XACML is primarily an Attribute-Based Access Control system (ABAC), where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.
The XACML model supports and encourages the separation of the access decision from the point of use. When access decisions are baked into client applications (or based on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes. When the client is decoupled from the access decision, authorization policies can be updated on the fly and affect all clients immediately.
Version 1.0 was ratified by OASIS standards organization in 2003.
Version 2.0 was ratified by OASIS standards organization on February 1, 2005.
The first committee specification of XACML 3.0 was released August 10, 2010. The latest version, XACML 3.0, was standardized in January 2013.
Non normative terminology (following RFC 2904, except for PAP)
XACML is structured into 3 levels of elements:
A policy set can contain any number of policy elements and policy set elements. A policy can contain any number of rule elements.
Policies, policy sets, rules and requests all use subjects, resources, environments, and actions.
XACML provides a target, which is basically a set of simplified conditions for the subject, resource, and action that must be met for a policy set, policy, or rule to apply to a given request. Once a policy or policy set is found to apply to a given request, its rules are evaluated to determine the access decision and response.
...
Wikipedia