Home > Articles > Software Development & Management

  • Print
  • + Share This
This chapter is from the book Introduction to XACML

Introduction to XACML

eXtensible Access Control Markup Language (XACML) version 2.0 (refer to [XACML2] for details) is an approved security policy management standard under OASIS (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml). It is both a policy language and an access-control decision request/response _language encoded in XML. It defines a standard format for the expression of authorization rules and policies along with a standard way of evaluating rules and policies to produce authorization decisions. In addition, XACML defines an optional format for making authorization decision requests and responses.

There are many similarities between XACML and the other policy management initiatives discussed previously. XACML can handle both XML documents and non-XML systems, though it can also handle non-XML objects using a custom context handler. It uses a declarative data model similar to CIM policy. It is generic to all industry sectors, but flexible enough to include new functionalities. XACML is complementing SAML 2.0 by providing functionality that handles complex policy sets and rules.

There are a few business problems related to security access control today. Many customer environments have their own security policy governing which resources a service requester can access. To be flexible and adaptive to customer IT security requirements, commercial off-the-shelf vendor products intend to be “generic” enough to support different security access control requirements in heterogeneous or customized environments. For example, some vendor products choose to provide “maximum possible privilege” by default for accessing data and executing business functions and actions. In other words, every user can access all functions unless the access control policies are customized. Once these vendor products are implemented, customers can customize local administrative security policy and configure policy enforcement points. Unfortunately, customized security access control implementations are fairly expensive, and they are unreliable for modifying security policies manually due to their complexity. In addition, they are not scalable and timely if the number of applications or policy enforcement points is large. Thus, a flexible policy system for access control is required to address these problems.

Isn’t SAML authorization decision assertion used in determining access rights for a service request? SAML provides a very basic assertion format and protocol between policy enforcement point and policy decision point. However, it does not specify any action or how a policy decision point should get information on which its decision will depend.

One major technology driver for creating XACML is the need to access partial content of XML documents. The current security method is to use encryption to control access to the entire XML document. Users are either authorized to view the entire XML document or denied access to any part of it. An example is an XML document containing a credit card payment transaction, where user A (call center personnel) is authorized to access the entire payment transaction except the full credit card number, while user B (claims department) is able to read the entire payment transaction. This is undesirable and very often this access control mechanism does not meet local business requirements.

In a typical application environment, a user wants to make request to access certain resources. The Policy Enforcement Point (PEP) is a system or application that protects the resources. The PEP needs to check whether the service requester is eligible to access the resources. It sends the resources request to the Policy Decision Point (PDP), which looks up the security access control policies. XACML provides both a policy language and an access-control decision request/response language to meet the security access control requirements. With XACML, the PEP forms a query language to ask the PDP whether or not a given action should be allowed. The PDP responds by returning the value of either Permit, Deny, Indeterminate (decision cannot be made due to some errors or missing values), or Not Applicable (the request cannot be answered by this service).

XACML provides a rich policy language data model that is able to define sophisticated and flexible security policies. Figure 7–7 shows the full hierarchy of components of an XACML policy extracted from the XACML schema, which may be too complex for novice readers. The following are the key components that may be of interest to most readers:

  • Policies. A Policy represents a single access control policy, expressed through a set of Rules. Policies are a set of rules together with a rule-combining algorithm and an optional set of obligations. Obligations are operations specified in a policy or policy set that should be performed in conjunction with enforcing an authorization decision. Each XACML policy document contains exactly one Policy or PolicySet root XML tag.
  • Policy Set. A Policy Set is a set of policies or other Policy Sets and a policy-combining algorithm, along with a set of optional obligations.
  • Rules. Rules are expressions describing conditions under which resource access requests are to be allowed or denied. They apply to the target (<Target>), which can specify some combination of particular resources, subjects, or actions. Each rule has an effect (which can be “permit” or “deny”) that is the result to be returned if the rule’s target and condition are true. Rules • can specify a condition (<Condition>) using Boolean expressions and a large set of comparison and data-manipulation functions over subject, resource, action, and environment attributes.
  • Target. A Target is basically a set of simplified conditions for the Subject, Resource, and Action that must be met for a PolicySet, Policy, or Rule to apply to a given request. These use Boolean functions (explained more in the next section) to compare values found in a request with those included in the Target. If all the conditions of a Target are met, then its associated PolicySet, Policy, or Rule applies to the request. In addition to being a way to check applicability, Target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply.
  • Figure 7–7 XACML policy language model

  • Attributes. Attributes are named values of known types that may include an issuer identifier or an issue date and time. Specifically, attributes are characteristics of the Subject, Resource, Action, or Environment in which the access request is made. For example, a user’s name, their group membership, a file they want to access, and the time of day are all attribute values. When a request is sent from a PEP to a PDP, that request is formed almost exclusively of attributes, and they will be compared to attribute values in a policy in order to make the access decisions.

The XML Schema definition for XACML describes the input and output of policy decision points in an XACML context. A context denotes a canonical representation of a decision request and an authorization decision. Figure 7–8 shows the XACML context [XACML11] where a policy decision point makes reference to the attributes of a policy or identifies the attribute by subject, resource, action, or environment. The XACML context handler for requests converts the input format from domain-specific input, say, using XPath or any XSLT transformation mechanism. Upon processing the policy rules by the policy decision point, the XACML context handler for responses converts the authorization decision to a domain-specific output format. The shaded area that covers the XACML policy, policy decision point, and the XACML context handlers are the scope of XACML.

Figure 7–8 XACML context

Sun’s XACML kit (http://sunxacml.sourceforge.net) is an open source implementation of XACML 1.1. There is also a C# implementation of XACML under http://mvpos.sourceforge.net/. Parthenon Computing’s JiffyXACML (http://www.parthenoncomputing.com) is a free binary release that provides some specific functionality. A list of XACML implementations appears on the OASIS XACML TC home page (http://www.oasis-open.org/committees/tc_home.php?wg_ abbrev=xacml), along with an XACML reference list that includes publicly announced adoptions of XACML.

XACML 2.0

XACML 2.0 [XACML2] does not have major functional changes. There are a few syntactic changes to make the policy language more flexible in its support of complex security requirements. Apart from the syntactic changes, the major change in XACML 2.0 is the introduction of six profiles:

  • SAML Profile. The SAML profile defines how to use SAML 2.0 to protect, transport, and request XACML schema instances and other information needed by an XACML implementation. It supports six types of queries and statements: AttributeQuery, AttributeStatement, XACMLPolicyQuery, XACMLPolicyStatement, XACMLAuthzDecisionQuery, and XACMLAuthzDecisionStatement.
  • RBAC Profile. The role-based access control profile allows policies to be specified in terms of subject roles instead of individual subject identities. Roles can be nested so that more senior roles inherit the privileges of junior roles.
  • Privacy Profile. The privacy profile supports specifying data privacy requirements by using two attributes: resource purpose and action purpose. The resource purpose, which has a type “urn:oasis:names:tc:xacml:2.0:resource: purpose,” indicates the purpose for which the data resource is collected. The action purpose, which has a type “urn:oasis:names:tc:xacml:2.0:action:purpose,” indicates the purpose for which access to the data resource is requested.
  • Multiple Resource Profile. This profile describes three ways in which a PEP can request authorization decisions for multiple resources in a single request context and how the result of each such authorization decision is represented in the single response context that is returned to the PEP. It also describes two ways in which a PEP can request a single authorization decision in response to a request for all the nodes in a hierarchy.
  • Hierarchical Resource Profile. This profile specifies how XACML can provide access control for a resource (including files, XML documents, or organizations) that is organized as a hierarchy. For example, if the administrator wants to restrict certain segments of an XML document for access, he or she may want to treat the resource (in this case, the XML document) as a hierarchy in order to allow or deny access to particular nodes in the document.
  • DSIG Profile. This profile uses XML Signature to provide authentication and integrity protection for XACML schema instances.

There are some new features to the policy language. For details, refer to [XACML2]. The following are new features that allow more flexibility in expressing policies and rules.

  • The element <CombinerParameters> carries the parameters for use by the combining algorithms.
  • A new optional attribute <Version> was added with default value “1.0” to denote the version of the Policy and PolicySet. Policy referencing allows developers to put constraints on the policy version.
  • The element <VariableReference> is used to refer to a value by its <VariableDefinition> within the same policy.
  • The element <EnvironmentMatch> was added to match the environment, similar to the elements <SubjectMatch>, <ResourceMatch>, and <ActionMatch>.
  • A new substitution group called <Expression> was added, which contains the elements <Apply>, <AttributeSelector>, <AttributeValue>, <Function>, <VariableReference>, and all <FooAttributeDesignator>.
  • There is a <RuleCombinerparameters> element, and likewise a <PolicyCombiner-Parameters> element, which are used to pass parameters to the combining algorithms. They are not used as a substitution model.

Some changes in XACML 2.0 are syntactical. They do not have a major impact on the core policy definition functionality. However, some changes are semantic changes. The following highlight the major syntactic changes in the context schema and the policy schema. For details, refer to [XACML2changes].

  • The version number of XACML in the namespace has been updated as 2.0. For example, xmlns=“urn:oasis:names:tc:xacml:2.0:context:schema:cd:04.”
  • The element <Status> in a <Result> statement is now optional in XACML 2.0.
  • It is mandatory in XACML 2.0 to specify an <Environment> in a <Request> statement.
  • For the elements <PolicySetIdReference> and <PolicyIdReference>, XACML 2.0 uses “type=xacml:IdReferenceType.”
  • The data type for “RuleId” attribute is now changed to “xs:String.”
  • Two syntactic changes are made to support SAML 2.0: The <Request> can contain more than one resource. The element <Attribute> can contain more than one <AttributeValue>.
  • Two items are obsolete in XACML 2.0: the attribute <IssuesInstant> in the <Attribute> statement, and the elements <AnySubject>, <AnyResource>, and <AnyAction>.
  • <VariableDefinition> and <VariableReference> elements support reuse of portions of a policy, which provides a macro capability.
  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020