+
  • Category: Question of the Week

How Can I Use Time in a XACML Policy?

Question of the Week
Attribute-based access control (ABAC) lets us define fine-grained authorization policies that typically take into account user attributes and resource attributes. Sometimes we may need time...

What is the main difference between XACML 3.0 and XACML 2.0?

Question of the Week
To Axiomatics prospects and customers, standardization, or standards compliance, is of great importance and often one of the deciding factors in choosing Axiomatics over “homegrown”...

How do I write authorization policies for Big Data?

Question of the Week
  When it comes to securing access to services and data, we see many different use cases and, with that, the enforcement of authorization rules...

How can commercial off-the-shelf (COTS) applications be supported with XACML?

Question of the Week
As a Sales Engineer, it’s not uncommon to meet with a customer – or a prospective customer – who, along with securing APIs, microservices and...

How Can I Use Policy References in ALFA?

Question of the Week
The Abbreviated Language For Authorization (Wikipedia) or ALFA is a domain specific language used to express XACML authorization policies. It is by far much easier...

How Can I Return the Reason for a Denial in a XACML Response?

Question of the Week
The XACML standard provides a means of returning the reason for an access request denial through the use of the Obligations and Advice expressions, which...

Why Does Retrieving Attribute Values from a Secure LDAP Slow Performance?

Question of the Week
This week’s question gets into a very specific XACML implementation detail but it is one that I encounter often so I thought this might be...

Should I Define the Authorization Logic in the Policy or an External Datasource?

Question of the Week
There are different approaches to expressing authorization logic. What’s the best way? It’s not as simple as the right or wrong way in this case...

How Can I Use Date in a XACML Policy?

Question of the Week
We have written in the past about using time in XACML policies. This can be useful when wanting to control access outside office hours for...

How Can I Comment My Policies?

Question of the Week
Writing access control policies is an iterative process; You write rules, test for expected results, restructure, amend with additional rules and scope, and retest. One...

Breaking the Glass – Using XACML to Implement HIPAA Regulations

Question of the Week
Break the Glass Scenario  By default users have access to what they need to get access to. Example authorization policy: doctors can view the medical...

When and How Can I Express Negative Logic in XACML?

Question of the Week
When authoring an access control policy, you may be creating a logical structure that calls for a negative expression. For example, you might be protecting...

What is an XACML Policy Reference?

Question of the Week
XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute­Based Access Control (ABAC). XACML uses attributes inside policies to convey authorization...

In XACML what is the StringOneAndOnly function?

Question of the Week
Example of policies can be: Managers can view documents in their city. Users can edit documents they own Each policy uses attributes. In the examples...

What Does NotApplicable Mean?

Question of the Week
The Policy Enforcement Point (PEP) sends the PDP an authorization request. The PDP inspects the request and must return a decision. There are four possible...

How Can I Implement Access Control Lists (ACL) Using XACML Policies?

Question of the Week
Let me first give you a short introduction to Access Control Lists (ACL). In software, an ACL, is a list of permissions granted to subjects...

Do Attribute Data Types Matter?

Question of the Week
Yes, they do, they absolutely do. There are several data types defined in the XACML specification. The X in XACML is short for eXtensible, meaning...

Is ALFA a Part of the OASIS XACML Technical Committee Series of Standards?

Question of the Week
The Abbreviated Language for Authorization (ALFA)is a pseudocode language used in the formulation of access control policies. ALFA maps directly into the eXtensible Access Control...

Why Should I Define Attribute Connectors Using JNDI?

Question of the Week
One of the key benefits of an Attribute Based Access Control (ABAC) system is the ability to use many attributes to make fine-grained authorization decisions....

How Does a Policy Decision Point Load a New Policy?

Question of the Week
Policy Decision Points (PDP) are managed through Authorization Domains in the Axiomatics Services Manager (ASM). When a new policy is applied to a Domain, the...

Is It a Good Practice to Use SQL Views for Policy Information Points?

Question of the Week
In order to better support the configuration of an Axiomatics solution (APS, ARQ, ADAF MD…) the Axiomatics Professional Services team suggest the use of a...

Should the Policy Enforcement Point Send All Attributes Needed to Evaluate a Request?

Question of the Week
Key Attributes and Derived Attributes Key Attributes are the basis of a XACML request. PEPs can send any number of attributes to the PDP. At...

How Do I Check for the Presence of an Attribute?

Question of the Week
This blog will look more closely at the scenarios where you want to evaluate an attribute on a particular target. First, let’s define a few...

What are the Possible XACML REST PDP Response Codes?

Question of the Week
The Axiomatics Policy Server provides both a SOAP and a REST endpoint to which authorization requests can be sent to. This blog will focus on...

When Should I Use an XACML Condition?

Question of the Week
XACML Targets Targets are an easy way to define the scope of an authorization policy. Targets can be used in all three XACML structural elements...

How Can I Use Booleans in a XACML Target?

Question of the Week
The Data Type The XACML identifier for the boolean data type is http://www.w3.org/2001/XMLSchema#boolean and the values accepted are ‘true’, ‘false’, ‘1’ and ‘0’. Note that booleans have...

Does the JSON profile for XACML support MDP

Question of the Week
JSON, or JavaScript Object Notation is a more lightweight and arguably a more easy-to-work with format than XML which is typically used in data exchange...

How Can an Authorization Request Be Simulated?

Question of the Week
We are rolling out a new format on our blog – the “Question of the Week” – an ongoing feature that will tackle all sorts...