Developer Outreach: Axiomatics at JavaZone ’13

The second part to the presentation focus on an introduction to Attribute-based access control or ABAC. ABAC can be seen as the next step after Role-based access control (RBAC) in the evolution of authorization. ABAC extends the capabilities of RBAC to focus not only on user attributes (identity, role, title, group) but also on other attributes of the user, the resource, and even the context (e.g. time of the day, IP, location). Most importantly ABAC lets developers easily implement relationships e.g. doctors can access a medical record if they have a care relationship with the owner (patient) of the medical record.

Attribute-based access control therefore lets developers define the right authorization scenarios they care about. And ABAC doesn’t come along. ABAC is enabled through a policy-based approach (or PBAC for the sake of yet another acronym). That led us to part III of the presentation, an introduction to XACML.

It’s XACML, not whack-a-mole, and it stands for eXtensible Access Control Markup Language. XACML is an OASIS standard (OASIS is the organization behind SAML and many other standards). It’s the de facto standard for policy- and attribute-based access control. One of the main parts to XACML is its architecture and the way the authorization is queried: it’s always via a yes or a no question. Can Alice do X? Yes she can. This makes integration extremely simple and lightweight. And that, of course, makes developers happy.


In the final part to the presentation, we focused on examples and integrations with existing tooling and APIs. For instance, we looked at using XACML-based authorization for Java servlets, JAX-WS services, and even annotations-driven authorization.

Other Blogs

3 keys to re-evaluate your authorization management
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...