• eXtensible Access Control Markup Language (XACML)

    The standardized approach to dynamic authorization and Policy Based Access Control (PBAC).

What is XACML?

The eXtensible Access Control Markup Language (XACML) is a standard developed by leading security experts as part of the Organization for the Advancement of Structured Information Standards (OASIS). It is currently in its third generation.

The eXtensible Access Control Markup Language remains the only standardized way to dynamically enforce authorization by externalizing access controls from applications and databases and using business policies – in what is also referred to as Attribute Based Access Control (ABAC) to govern who can access which data under multiple, fine-grained conditions. At its core, it consists of a standard language, response/request protocol, and reference architecture.

In the XACML 3.0 Oasis Standard, it is stated that; “If implemented throughout an enterprise, a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems.  Managing security policy may include some or all of the following steps: writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving, and enforcing policy.”

Discover 100% Pure XACML

Laptop sitting in front of a large screen with two code windows opened | Axiomatics

The advantages of using XACML

Using XACML offers many advantages to enterprises and large organizations that require a standardized way to securely share assets, while meeting and proving compliance.

Centrally managed system

With one central repository for all XACML policies, XACML standardizes authorization to deliver unrivaled control of assets across the enterprise at every point of access, whether it’s via an API, microservices, app, portal, webservice or database.

Avoid vendor lock-in

Using a standards-based language as opposed to a proprietary system enables more flexibility among developers and avoids vendor lock-in.

Security you can trust

The XACML policy standard has been developed collaboratively and implemented by leading IT security experts at some of the world’s leading companies. It meets the highest security standards.

Simplified policy creation

To simplify policy writing in XACML JSON scripts are used. The lightweight data-interchange format is easy for humans to read and write and easy for machines to parse and generate.

The XACML architecture

The XACML architecture is made up of five key software modules that work in unison to enforced standardized run-time authorization at any and every access request point. Read more about the XACML Reference Architecture

Policy Administration Point (PAP)

The Policy Administration Point is the point of policy authorship. Once a user has written or edited/updated a policy in plain language, the PAP automatically converts it to machine-readable, standards-based XAML code for administration and enforcement by the system.

Policy Information Point (PIP)

The Policy Information Point is a powerful system that calls out to the different attribute directories and third-party services at run-time in order for the Policy Decision Point to establish if the request meets a policy’s specifications. These so-called attribute values including the resource, source, environment, etc.


Policy Retrieval Point (PRP)

The Policy Retrieval Point is the storage point of the XACML access authorization policies. This is most commonly a filesystem or database.

Policy Decision Point (PDP)

The Policy Decision Point evaluates the request, based on what’s written in a policy, and makes a decision – typically Permit or Deny access. The XACML PDP then informs the PEP of the decision.

Policy Enforcement Point (PEP)

The Policy Enforcement Point, both receives the access request and enforces the decision of permit or deny from the XACML PDP in run-time.

Learn now to get started with Attribute-based Access Control

The XACML authorization flow

  1. A user makes an access request which is intercepted by the Policy Enforcement Point (PEP) and converted into XACML.
  2. The Policy Decision Point (PDP) queries the Policy Information Point (PIP) and the Policy Retrieval Point (PRP) to decipher whether or not the attribute values and policies and aligned.
  3. The Policy Decision Point (PDP) then takes a decision to permit or deny access and sends the response to the Policy Enforcement Point (PEP).
  4. The Policy Enforcement Point (PEP) enforces the decision.

Learn more in this Beginner’s Guide to XACML 


XACML policy language structure and syntax

The XACML policy language is made up of a number of key elements that enable fine-grained authorization to be implemented across different deployment models, i.e., cloud, on-premises, and hosted environments. Read more about XACML Policy Language Structure and Syntax 


A rule is a basic component of a policy. As such it delivers the desired effect of the policy – permit or deny. A rule can contain a target, a condition, an advice, or a set of obligations.


A policy consists of one or a set of rules, a rule-confirming algorithm as well as optional obligations and an advice. The policy is the foundation from which the XACML PDP can perform.

Policy set

A policy set is a group of policies, which can be located in various locations. Policy sets include policies, a policy-combining algorithm, optional obligations and an advice.


A target enables the XACML PDP to verify which policy or rules apply for a certain request. Target statements act as definers for relevant attributes for the rule, policy, or policy set.


Conditions are part of a rule and can compare attribute values, to evaluate if an attribute is “True”, “False” or “Indeterminate”. In the XACML example below, you can see the role of a condition when checking if a subject’s username is the same as a resource’s owner attribute.

Meet with an expert to see how our solution works

How to choose the right access control solution

No matter where your critical assets are stored or how complex or distributed your architecture is, we can help you safeguard and securely share them. Our team of experts can help you define requirements and tailor the Attribute Based Access Control products from our dynamic authorization suite to meet your needs.

Four office workers discussing Xacml

Get in touch

Regulations are getting stricter and competitors are getting more aggressive. Don’t spend time on authorization, focus on your core activities and we will ensure data is secured and regulations are met.

Customer support

Do you have a question for an Axiomatics engineer? Our support team are ready to help you.