X may mark the spot if you’re looking for treasure, but if you’re looking to protect something dear to you, such as your sensitive assets, X can also form part of your security program. That’s because X is the first letter in XACML, the OASIS standard language that authorization solutions from Axiomatics are based on. eXtensible Access Control Markup Language (XACML) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time, based on policies which determine what actions a user or service can perform on a given information asset and in a specific context.
In a previous blog post we discussed the use of XACML obligations and advice. I concluded the post with the cliff hanger:
An interesting use of advice is as a means to tell the PEP the reasons why a request has been denied; but to show you how this is done I would need to introduce you to the way the PDP calculates the advice for a decision.
In this blog post we describe how the recent JSON and REST profiles of the XACML standard make it easier to use and to integrate with the externalized authorization services provided by the XACML Policy Decision Point (PDP).
Imagine that you are designing a policy for your business, which happens to be a top-notch hospital, and bump into the following legal requirement:
A physician can access a medical record from one of her patients provided this access is reported to the patient
If you are familiar with XACML, much of this requirement would not be too difficult to structure and implement. The problem you may face starts with “provided...”.