100% pure XACML
Solutions from Axiomatics are based on the eXtensible Access Control Markup Language (XACML) OASIS standard. XACML offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time based on policies which determine what actions a user or service can perform on a given information asset and in a specific context.
Three areas standardized
XACML standardizes three essential aspects of the authorization process:
- XACML policy language – used to express access control rules and conditions. Many rules can be combined into one policy. Many policies and policy sets can be combined into larger policy sets. Flexible combination algorithms determine how rules are joined to capture the exact meaning of corporate policies similar to how the grammar of a natural language allows us to express precise directives.
- XACML request/response protocol – used to query a decisioning engine that evaluates real-world access requests against existing XACML policies. The result, either Permit or Deny, is returned as an XACML response.
- XACML reference architecture – provides a standard for the deployment of necessary software modules to achieve efficient enforcement of XACML policies. At the core, a Policy Decision Point (PDP) evaluates policies against access requests provided by Policy Enforcement Points (PEP). The PDP or PEP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or the information asset to which access is requested. Policies are maintained via a Policy Administration Point (PAP).
XACML policy language and requests
Below are some XACML samples. Click the slider to view the details.
Click the sliders below to open and view a sample of an XACML policy, an XACML request that will render a PERMIT and an XACML request that will render a DENY respectively.
Policy Definition: This policy protects a document. It checks that only managers at Axiomatics can view (and only view) documents. It also checks that the user's clearance is greater than or equal to the resource's classification. Clearance levels and classifications for documents can from low to high have the values CONFIDENTIAL - SECRET - TOP SECRET.
Authoring and editing XACML policies
Computer programs efficiently parse the XML syntax. But humans may perceive it as rather "user unfriendly". For policy authoring you therefore use policy editors. Axiomatics products are shipped with multiple editors intended for different use case scenarios and user groups. Axiomatics also offers policy authoring in the ALFA language, a high-level language originally developed by Axiomatics which now has been transferred to the OASIS XACML technical committee. The ALFA language introduces a simplified syntax somewhat similar to programming languages such as C# or Java. ALFA policies match the XACML language 1:1 so editors can save ALFA policies in the XACML language.
The 40 lines of the above XACML policy looks like this in the much more compact ALFA language:
Advantages achieved using XACML
A standardized approach to authorization:
In the past, authorization rules were embedded in the programming code of individual information systems. The definition of access control was therefore done not by business managers but by the technical staff responsible for software configurations or programming. XACML however, offers a standardized approach that is used consistently across all applications. The focus is on corporate policies rather than the technicalities of varying software environments.
An externalized approach to authorization:
The Policy Decision Point (PDP) offers authorization as a service in the infrastructure. Authorization algorithms can be removed from the application logic of individual information systems, which will then query the PDP via their own Policy Enforcement Points (PEP).
An attribute and policy based approach to authorization:
XACML policies introduce abstract logic to replace previous static assignments of user permissions. Instead of an assignment - "Bob can access document X" - a rule may state "any user belonging to company X with security clearance equal to or higher than the security classification of a document should be granted access to that document". To determine whether Bob should be granted access to document X, his security clearance as well as the document classification needs to be gathered. These descriptive pieces of information are called attributes.
Fine-grained and dynamic authorization:
The capabilities offered by this approach enable truly fine-grained and dynamic authorization that can be made context-aware and risk intelligent.
X for eXtensible - using XACML profiles
The X in XACML stands for eXtensible and one way to extend XACML based authorization is to use XACML profiles. A profile can extend the functionality of a policy server in a number of ways. This can be as simple as the addition of a classification or terminology from an existing standardized domain, it can also include more advanced features, such as new data types or user defined functions. Axiomatics products conform with all XACML 2.0 and XACML 3.0 profiles. Below you can find a sample of profiles and related objectives:
- Core and hierarchical Role Based Access Control (RBAC) profile of XACML v2.0. This profile simplifies alignment with concepts of RBAC. The profile meets the requirements for "core" and "hierarchical" RBAC as specified in the ANSI-RBAC standard. For details, see the XACML Specification Document for RBAC profile.
- Hierarchical resource profile of XACML v2.0
- Multiple resource profile of XACML v2.0
- SAML 2.0 profile of XACML v2.0 (see errata below for corrected version of spec and schemas)
- XML Digital Signature profile of XACML v2.0
The standard itself is maintained by OASIS and published on the OASIS eXtensible Access Control Markup Language (XACML) TC web site.