The upcoming XACML 3.0

The XACML Technical Committee at OASIS, with Axiomatics CTO Erik Rissanen as the Editor, is currently working on next version of the XACML standard. Version 3.0 contains bug fixes, optimizations and new features. Differences and new features will be briefly discussed here.

XACML 3.0 has a similar syntax to 2.0, but they are not compatible. However, it will be feasible to upgrade a 2.0-policy to 3.0.

The major new feature in 3.0 is delegation. In the previous XACML version, policies are taken for granted and blindly trusted; there is no way to reason about how, and by whom, policies are created. Delegations is implemented by introducing a new type of policies; administrative policies (aside from the access control policies). Delegation makes it possible to decentralize administration of access policies between organization as well as verifying that a policy comes from a trusted source. Example of a query that an administrative policy answers is: "Is Alice authorized to create an access policy that authorizes Bob to access the database? Read more about delegations.

XACML 3.0 also manages obligations in a better way by characterizing obligations into different families. It will be possible to state in which order obligations should be performed as well as how conflicts and fulfillment-failures should be resolved. Read more about the general obligation concept.

One of the optimizations that has been done is to introduce generic attribute categories instead of the pre-defined categories Subject, Resource and Action that exist in 2.0. This lets the user define own attribute categories.

Request context- and environment context-supplied attributes have been further differentiated which enables a PDP to optimize policy evaluation by attribute caching and partial evaluation.

Besides the additional XACML profiles are being revised and updated to XACML 3.0. The XACML 3.0 is expected to be finalized and released in mid-2008.