What is an XACML Policy Reference?

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute­Based Access Control (ABAC). XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form and we won’t be getting into every aspect of policy authoring in this article. For a brief overview of what a policy is check this Axiomatics article out.

I’m often asked “Why would I use a policy reference when writing a policy?” There are several reasons why but if I answer them all here I’ll quickly run out of topics for future “Question of the Week” articles. For now let’s start with explaining what a policy reference is.

The definition of a XACML Policy Reference can be found in the XACML core specification here and here.

In layman’s terms a policy reference is a pointer to another policy set or policy object. Some of the reasons to use a policy reference are:

  • Provide structure and organization>
  • Make a large policy easier to work with
  • Re­use common components at various points within a policy package
  • Enable collaborative policy authoring

Example

Below is an example of policy references generated by the Axiomatics Policy Editor. In this screenshot, we have a parent policy set (Main) which contains 2 policy sets (Internal

Applications and External Applications). The Internal Applications policy set is expanded and contains 3 policy references.

Policy references can point to policies and policy sets in the same tree or in a separate tree/file.

If we take a look at the Human Resources policy set, we will find a complete policy structure of all the policies and rules needed to support the applications for Human Resources.

 

XACML XML Representation

The raw xml of the main.xml policy above contains a P olicySetIdReference to a policy with an ID of: B11d213a­2514­46d6­ad6b­295ff8532574. This is a reference to the Human Resources Policy set.

<xacml3:PolicySetPolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algor ithm:first­applicable" PolicySetId="https://www.axiomatics.com/automatic­unique­id/5cc13395­20bd­ 48b3­a56b­68b1c26c3e54" Version="1.0" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-­17">

     <xacml3:Description>Main</xacml3:Description>

     <xacml3:PolicySetDefaults>

<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC­xpath­19991116</xacml3 :XPathVersion>

     </xacml3:PolicySetDefaults> 

     <xacml3:Target/>

  <xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algor ithm:first­applicable" Version="1" PolicySetId="19c84585­0dc5­410c­98c8­60c9c38b539e">

     <xacml3:Description>Internal Applications</xacml3:Description> 

     <xacml3:PolicySetDefaults>

<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC­xpath­19991116</xacml3 :XPathVersion>

     </xacml3:PolicySetDefaults>

     <xacml3:Target/>

<xacml3:PolicySetIdReference>7e54ee6f­8887­4257­90a3­6f86fcf7cecf</xacml3 :PolicySetIdReference>

<xacml3:PolicySetIdReference>b11d213a­2514­46d6­ad6b­295ff8532574</xacml3:PolicySetIdReference>

<xacml3:PolicySetIdReference>719eee46­8f21­4359­ac7f­86ef895984f9</xacml3 :PolicySetIdReference>

     </xacml3:PolicySet>

     <xacml3:PolicySetPolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algorithm:first­applicable" Version="1"PolicySetId="c2db3645­ab01­4669­9c37­b8b966eaa746">

     <xacml3:Description>External Applications</xacml3:Description>

     <xacml3:PolicySetDefaults>

<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC­xpath­19991116</xacml3:XPathVersion>

     </xacml3:PolicySetDefaults>

     <xacml3:Target/>

<xacml3:PolicySetIdReference>1c3cc12f­0419­40fc­8340­603dc6f2fe2e</xacml3:PolicySetIdReference>

<xacml3:PolicySetIdReference>caf96db0­2106­4e51­9998­c639ebf47d7d</xacml3:PolicySetIdReference>

<xacml3:PolicySetIdReference>ca6f0f32­a555­4799­9446­80827cfb14e7</xacml3:PolicySetIdReference>

  </xacml3:PolicySet> 
</xacml3:PolicySet>

The main policy xml

Now if we look at the Human Resources.xml we will see that it has a PolicySetId of “b11d213a­2514­46d6­ad6b­295ff8532574.”

<xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy­combining­algor ithm:first­applicable" PolicySetId="b11d213a­2514­46d6­ad6b­295ff8532574" Version="1" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd­17">

  <xacml3:Description>Human Resources Policy set</xacml3:Description> 
  <xacml3:PolicySetDefaults>

The referenced Human Resources policy xml

XACML Representation in ALFA

In the ALFA example below, we have a main policy which contains 2 branches: one about documents and the other about contracts. Each branch references / links to a common policy called checkTime.

/** The main policy */ 
policyset main{
  apply firstApplicable
  policy documents{
     apply firstApplicable /** Reference (link) to common policy */ checkTime rule managersCanViewDocuments{
       permit 
     }
  } 
  policy contracts{
     apply firstApplicable /** Reference (link) to common policy */ checkTime rule tellersCanEditContracts{
       permit 
     }
  }
}
/**A common policy that will be reused across multiple locations */ policy checkTime{
  apply firstApplicable
}

Linking to policies inside the same file / tree

A policy reference does not need to point to a policy that exists in a separate file or policy tree. A reference can be to to other policies contained in the same tree as illustrated below. What is a XACML Policy Reference 3

Reference to another policy within the same policy file

Conclusion

XACML policy references are essentially pointers to other policies which are used to:

  • Provide structure and organization
  • Make a large policy easier to work with
  • Reuse common components at various points within a policy package
  • Enable collaborative policy authoring

If you’ve ever worked with a large policy and wondered “there must be an easier way!” know you have your answer! Use a policy reference. Not can policy references make managing a large policy easier but they are fun to use. If you haven’t tried using a policy reference it’s time you joined in on the fun and gave them a try.

Other Blogs

3 keys to re-evaluate your authorization management
Business
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
Tech
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Business
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...