eXtensible Access Control Markup Language (XACML) Specification - Security

eXtensible Access Control Markup Language is an XML Schema for representing authorization and entitlement policies. The XACML 1.0 specification was ratified as an OASIS Open Standard by the OASIS eXtensible Access Control Markup Language Technical Committee in February 2003. Version 1.1 was released in August 2003.

XACML represents the rules that specify the who, what, when, and how of information access. Access control, which is often called rights management, determines who can look at something, what they can do with it, the type of device they can look at it on, and so on.

A set of access control issues has created the need for XACML. First, computing systems are extremely general. Computing platforms have been made as broad and general as possible for the widest possible set of applications that can be run on those platforms. These computing systems also have the broadest possible set of privileges for accessing data and applications, so they can be used in the widest possible set of applications, including those with very permissive (that is, no) security policies.

Second, access control policy enforcement is handled at many different points. In cases of reasonably strict security policy, systems are access controlled at the point of deployment. Enterprise security policy has many elements and points of enforcement, including HR, Finance, Legal, and others.

The third condition that sets up the need for XACML is the plethora of different access control enforcement mechanisms. Each point of enforcement is typically managed independently to make sure the policy is implemented accurately. This makes it prohibitively expensive to modify security policy. It is impossible to obtain a consolidated view of the overall security situation in an enterprise. Despite this fact, pressures increase to demonstrate and prove best practices when protecting information assets.

On top of these three conditions come the machine-to-machine interactions of Web services, which dramatically exacerbate these issues. Combined, these conditions create the need for a common language for expressing information system security policy.

The target of an XACML specification can be any object that is referenced using XML; this gives XACML very fine-grained control. XACML has three top-level policy elements: Policy, PolicySet, and Rule.