Pure XACML

eXtensible authorization

What?

How?

Why?

Contact Axiomatics

More information from Axiomatics? Try it out? Download a software evaluation kit?

Fill in our contact form for more information or an evaluation license for Axiomatics software.

Pure XACML

Pure XACML eXtensible Access Control Markup Language (XACML) is a standard with three essential aspects:

XACML policy language
The XACML policy language can be used to express access control rules and conditions. Multiple rules can then be combined into policies which in turn can be combined in sets. Policy sets can also contain further combined policy sets thus enabling rich expressions capturing the logic of corporate governance frameworks.
XACML request/response protocol
Real-world access requests can be described as an XACML request and sent to a decisioning engine for evaluation against existing XACML policies. The result, either Permit or Deny, is then returned as an XACML response.
XACML reference architecture
The reference architecture proposes a standard for deployment of necessary software modules within an infrastructure to allow efficient enforcement of corporate policies. At the core a Policy Decision Point (PDP) evaluates policies against access requests provided by Policy Enforcement Points (PEP). To make informed decisions, the PDP or PEP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or the information asset to which access is requested.

XACML samples

Sample XACML requests and policies - XACML, targets, and conditions.

XACML policy sample

Policy Definition: This policy protects a document. It checks that only managers at Axiomatics can view (and only view) documents. It also checks that the user's clearance is greater than or equal to the resource's classification.

XACML policy sample

<xacml3:policy version="1" rulecombiningalgid="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" policyid="access-document" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <xacml3:description>This Policy controls access to documents and makes sure only those managers at Axiomatics with the right level of clearance can view them.</xacml3:description>
<xacml3:policydefaults><xacml3:xpathversion>http://www.w3.org/TR/1999/REC-xpath-19991116 </xacml3:xpathversion></xacml3:policydefaults>
  <xacml3:target>
    <xacml3:anyof>
      <xacml3:allof>
        <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:attributevalue>
          <xacml3:attributedesignator mustbepresent="false" datatype="http://www.w3.org/2001/XMLSchema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" attributeid="urn:org:apache:tomcat:user-role">
        </xacml3:attributedesignator></xacml3:match>
        <xacml3:match matchid="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
          <xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">Axiomatics</xacml3:attributevalue>
          <xacml3:attributedesignator mustbepresent="false" datatype="http://www.w3.org/2001/XMLSchema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" attributeid="company">
        </xacml3:attributedesignator></xacml3:match>
        <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">view</xacml3:attributevalue>
          <xacml3:attributedesignator mustbepresent="false" datatype="http://www.w3.org/2001/XMLSchema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id">
        </xacml3:attributedesignator></xacml3:match>
        <xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">document</xacml3:attributevalue>
          <xacml3:attributedesignator mustbepresent="false" datatype="http://www.w3.org/2001/XMLSchema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
        </xacml3:attributedesignator></xacml3:match>
      </xacml3:allof>
    </xacml3:anyof>
  </xacml3:target>
  <xacml3:rule ruleid="permit-if-clearance-ok" effect="Permit">
    <xacml3:description>grant if the subject clearance is greater than the document classification</xacml3:description>
    <xacml3:target>
    <xacml3:condition>
      <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal">
        <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <xacml3:attributedesignator mustbepresent="false" datatype="http://www.w3.org/2001/XMLSchema#string" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" attributeid="urn:org:apache:tomcat:user-attr:clearance">
        </xacml3:attributedesignator></xacml3:apply>
        <xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <xacml3:attributedesignator mustbepresent="false" datatype="http://www.w3.org/2001/XMLSchema#string" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" attributeid="classification">
        </xacml3:attributedesignator></xacml3:apply>
      </xacml3:apply>
    </xacml3:condition>
  </xacml3:target></xacml3:rule>
</xacml3:policy>

XACML request samples

It is possible to write requests that will test the policy described in the previous section. Since it implements a clearance check on the user, it is interesting to send two requests where one contains a document classified as confidential and the other contains a document classified as top secret. The first request will lead to Permit provided, of course, the request match the policy target. The second will lead to Deny.

XACML request sample 1

<xacml-ctx:request xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" combineddecision="false" returnpolicyidlist="true">
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
   </xacml-ctx:attributes>
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
      <xacml-ctx:attribute includeinresult="true" attributeid="urn:org:apache:tomcat:user-attr:clearance">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">SECRET</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
      <xacml-ctx:attribute includeinresult="true" attributeid="company">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">Axiomatics</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
      <xacml-ctx:attribute includeinresult="true" attributeid="urn:org:apache:tomcat:user-role">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
   </xacml-ctx:attributes>
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
      <xacml-ctx:attribute includeinresult="true" attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
   </xacml-ctx:attributes>
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
      <xacml-ctx:attribute includeinresult="true" attributeid="classification">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">CONFIDENTIAL</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
      <xacml-ctx:attribute includeinresult="true" attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">document</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
   </xacml-ctx:attributes>
</xacml-ctx:request>

XACML request sample 2

<xacml-ctx:request xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" combineddecision="false" returnpolicyidlist="true">
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
      <xacml-ctx:attribute includeinresult="false" attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
   </xacml-ctx:attributes>
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
      <xacml-ctx:attribute includeinresult="false" attributeid="classification">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">TOPSECRET</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
      <xacml-ctx:attribute includeinresult="false" attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">document</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
   </xacml-ctx:attributes>
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
      <xacml-ctx:attribute includeinresult="true" attributeid="urn:org:apache:tomcat:user-attr:clearance">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">SECRET</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
      <xacml-ctx:attribute includeinresult="false" attributeid="company">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">Axiomatics</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
      <xacml-ctx:attribute includeinresult="false" attributeid="urn:org:apache:tomcat:user-role">
         <xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:attributevalue>
      </xacml-ctx:attribute>
   </xacml-ctx:attributes>
   <xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
   </xacml-ctx:attributes>
</xacml-ctx:request>

Advantages achieved using XACML:

A standardized approach to authorization:
In the past, authorization rules were embedded in the programming code of individual information systems. Thus, the programmers of applications and the IT technicians managing the configurations of these applications - rather than business managers - would determine how access controls would be implemented. XACML instead suggests a standardized approach to be used consistently across applications. The focus is on corporate policies rather than the technicalities of varying software environments.
An externalized approach to authorization:
The Policy Decision Point (PDP) offers authorization as a service in your infrastructure. Authorization algorithms can be removed from the application logic of individual information systems which instead will query the PDP via their own Policy Enforcement Points (PEP).
An attribute and policy based approach to authorization:
XACML policies introduce abstract logic to replace previous static assignments of user permissions. Instead of an assignment - "Bob can access document X" - a rule may state that "any user belonging to company X with security clearance equal to or higher than the security classification of a document, should be granted access to that document". To determine whether user Bob should be granted access to document X, his security clearance as well as the document classification needs to be gathered. These descriptive pieces of information are called attributes.
Fine-grained and dynamic authorization:
The capabilities offered by this approach enable truely fine-grained and dynamic authorization that can be made context-aware and risk intelligent.

X for eXtensible - Using XACML profiles

The X in XACML stands for eXtensible and one way to extend XACML based authorization is to use XACML profiles. A profile can extend the functionality of your policy server in several ways. This can be as simple as the addition of a nomenclature or terminology from an existing standarized domain, it can also include more advanced features, such as new data types or user defined functions. Axiomatics products conform with all XACML 2.0 and XACML 3.0 profiles. Below you can find a sample of profiles and related objectives:

Core and hierarchical role based access control (RBAC) profile of XACML v2.0. This profile simplifies alignment with concepts of Role Based Access Control (RBAC). The profile meets the requirements for “core” and “hierarchical” RBAC as specified in the ANSI-RBAC standard. For details, see the XACML Specification Document for RBAC profile.

Hierarchical resource profile of XACML v2.0
- Specification Document
Multiple resource profile of XACML v2.0
- Specification Document
Privacy policy profile of XACML v2.0
- Specification Document
SAML 2.0 profile of XACML v2.0 (see errata below for corrected version of spec and schemas)
XML Digital Signature profile of XACML v2.0
- Specification Document

The standard itself is maintained by OASIS and published on the OASIS eXtensible Access Control Markup Language (XACML) TC web site.