eXtensible Access Control Mark-up Language (XACML) is a structured language for expressing access policies and a query-response protocol for access requests and decisions. XACML develops as standard within the Organization for the Advancement of Structured Information Standards (OASIS).

The XACML language is constructed by a number of building blocks.

A Rule defines an effect (permit or deny) for a target that is described in terms of attributes of subject, resource, action and environment and the conditions for these attributes.

A Policy consists of rules and a rule-combining algorithm that defines how effects of rules override each other.

A Policy Set consists of policies and a policy-combining algorithm that defines how effects of policies override each other.

Besides the structured language and the query-response protocol, XACML has a higher level architecture consisting of a number of functions (components) as follows.

• Policy Decision Point (PDP) - the heart of an XACML solution that makes the access decisions.
• Policy Enforcement Point (PEP) - the most security-critical component in the solution, which protects the resources and enforces the PDP's decision.
• Policy Information Point (PIP) - the external information store providing the attribute data needed for access decisions.
• Policy Repository (PR) - the XACML policy storage.
• Policy Administration Point (PAP) -  the XACML-policy editor.