Photo

XACML

XACML, eXtensible Access Control Mark-up Language, is a standard developed by The Organization for the Advancement of Structured Information Standards (OASIS). XACML was developed in order to allow computing systems to be administered uniformly and allow access control to be provided as a reusable component.

XACML is comprised of three main elements:
  • A policy schema, represented as XML
  • A request/response protocol
  • A reference architecture

Prior to XACML, organizations were prone to numerous inefficiencies:
  • Access control code had to be written for each and every system, resulting in high development costs
  • Administrators had to be trained on multiple administrative interfaces, which lead to high training and operational costs
  • Security code was developed in an ad-hoc fashion, and not always properly secure
  • Passing security audits was very time consuming and costly because every system had a proprietary security mechanism
  • Obtaining reports illustrating who can do what and who gave whom access, was almost impossible across systems, again, because of the proprietary nature of the security mechanisms which were not standards-based
 

Why use XACML?

Standard Method for Authorization
XACML provides a universal translation layer to express authorization. Regardless of the administrative interface used to manage access control for an application or service, or the language in which it was developed, XACML expressions are consistent and easily interpreted.

Centralized Authorization Management
Administrators define a XACML policy in one place, and every application leverages the rules defined in that policy. XACML allows for organizations to use a single, centralized interface, to define, organize, and manage security.

Empower Business Users
Traditionally, security policies needed to be defined within IT. XACML allows business users to explicitly define security, without any knowledge of the applications or platforms that IT has to administer. This decouples authorization from applications, allowing it to live externally.

Powerful, Robust Standard
XACML 3.0 accommodates a broad range of access-control policy needs. It supports a variety of data types, functions, and rules, which can be extended to support custom domain-specific data types and functions as well. XACML can also be extended to interoperate with standards like SAML and LDAP. Finally, XACML is stateless, allowing for the replication of the same PDP across multiple servers for enterprise-class performance and scalability.

How Does XACML Work?

  1. Administrators define policies through the Policy Administration Point, the PAP, and can at any time modify those policies or create new policies
  2. Policies are pushed into a Policy Repository, which the Policy Decision Point, the PDP, uses when resources are being authorized for access
  1. A user requests a resource which is protected by the Policy Enforcement Point, the PEP
  2. The PEP passes the user information to the Policy Decision Point, PDP, which needs to make a decision on whether the user should be allowed access
  3. The PDP makes its decision based on very specific information (attributes), as defined in the policy, and passes this information request to the Policy Information Point, the PIP
  4. The PIP sends a request to each attribute source for data
  5. The PIP aggregates the information requested
  6. The PIP passes the information back to the PDP
  7. Information and policy in-hand, the PDP is able to render a decision, which it passes to the PEP
  8. The PEP allows or denies access to the resource

XACML by BiTKOO


Want to learn more about using XACML in your enterprise?

Schedule a call with us!