As a backend developer Hieu (Jack) Tran has overseen the birth of APS generation 5 since 5.0. His hobby is to dig around Axiomatics code base for new tricks to learn and new bugs to fix. Jack joined Axiomatics after finishing his master programm at The Royal Institute of Technology (KTH), Stockholm.

Extending the XACML Specification

The eXtensible Access Control Markup Language - or XACML offers a standardized way to provide granular and scalable authorization solution across the enterprise application board by defining an elaborate and strict specification that applications’ authorisation policy must follow. On the other hand the model is extensible enough - as the name suggest - to offer the flexibility that is required by the heterogeneous nature of the enterprise application and use cases.

So the question is just how extensible is XACML? In this blog post we will elaborate a bit further on the designated extension point of the XACML standard and try to demystify the art of tailoring the model to fit any application specific need.

Continue reading
3385 Hits

Policy Information Point in Five Minutes

This blog post intends to give a short but concise introduction to the Policy Information Point (PIP) in the XACML reference model, specifically its role in the XACML architecture and how it is usually realized  in practice.

The idea of flexible and granular authorization lies at the very heart of Attribute-based Access Control (ABAC) in general, and XACML in particular. Traditional Role-based Access Control (RBAC) systems rely on single-dimensional categorization of authorized entities into different roles. While it is possible to extend the RBAC authorization scenario with one or two other dimensions, ABAC aims to tackle the problem at the root, by defining a scheme in which just any available information at the time and space where the decision is being made can be used in the authorization process. 

Just as a common saying goes: “Only the sky is the limit”, in this blog post we will get an introduction on how adopters of XACML can utilise the power of Policy Information Points to evaluate authorization decisions based on just about any property that can be exposed to the XACML decision engine.

Continue reading
3329 Hits

Scaling XACML Architecture Deployment

XACML, which stands for eXtensible Access Control Markup Language, exists to solve the problem of authorization (AuthZ) with focus on extensibility, granularity and scalability. From a first glance at the standard specification it appears to do all the magic with a seemingly over-simplified reference model; at least it was my impression when I first learnt about it. However the simplicity of the model is the key that makes XACML easy to adopt and gives the flexibility to the implementor to scale it up to meet any requirement. This post will discuss the various options available to scale a XACML deployment.

Axiomatics Policy Server 5 architecture will be used as example for the different approached discussed in this post.

Continue reading
1617 Hits