XACML 3.0 is the eXtensible Access Control Markup Language, an open standard for specifying and evaluating authorization and access control policies. Version 3.0 of the standard was published by the OASIS standards body in August 2010.
XACML 3.0 is the third version of the eXtensible Access Control Markup Language. Work was first started in 2001. XACML 1.0 was standardized in 2003. XACML 2.0 was standardized in 2005, and XACML 3.0 was standardized as an OASIS standard in January 2013. The standard can be downloaded here.
XACML defines:
- an authorization policy language
- a request / response scheme
- an architecture
The architecture defines the following terms:
- Policy Administration Point (PAP): this is where authorization policies are authored
- Policy Decision Point (PDP): this is where the policies are evaluated and decisions are reached
- Policy Information Point (PIP): this is where attribute values required during the policy evaluation are fetched from. PIPs are typically directories, databases, or CSV files.
- Policy Enforcement Point (PEP): this is the component that protects applications, intercepts business requests, creates authorization requests, sends them to the PDP, gets a decision back and enforces the decision.
XACML defines 4 possible decisions:
- Permit: access is allowed
- Deny: access is denied
- NotApplicable: the PDP cannot tell whether access should be allowed or denied
- Indeterminate: an error occurred during policy evaluation
XACML is said to be policy-based and attribute-based since it builds on top of policies that are made of attributes. Attributes are essentially key-value pairs e.g. role=manager or citizenship=Swedish.
