Skip to main content

Introduction to XACML

What is XACML?

XACML "eXtensible Access Control Markup Language" is an open standard XML based language. The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. (*)

XACML policy language: is used to describe general access control requirements

XACML request/response protocol: used to query a decisioning engine that evaluates real-world access requests against existing XACML policies.

XACML reference architecture: provides a standard for the deployment of necessary software modules to achieve efficient enforcement of XACML policies.

To

Terminology

know

(*) Wikipedia definition

Flow

  1. A user sends a request which is intercepted by the Policy Enforcement Point (PEP).
  2. The PEP converts the request into a XACML authorization request.
  3. The PEP forwards the authorization request to the Policy Decision Point (PDP).
  4. The PDP evaluates the authorization request against the policies it is configured with. The policies are. acquired via the Policy Retrieval Point (PRP) and managed by the Policy Administration Point (PAP). If needed it also retrieves attribute values from underlying Policy Information Points (PIP).
  5. The PDP reaches a decision (Permit / Deny / NotApplicable / Indeterminate) and returns it to the PEP.

image-1627459612625.png

(*) Wikipedia definition

In Soffid, PAP and PIP are implemented on the Console.

 

Soffid XACML

Using the XACML addon it is possible to add access controls XACML standard to Soffid console. In this case, Soffid can be able to add more complex and restricted rules to the authorizations.

 

(*) https://en.wikipedia.org/wiki/XACML

(**) https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#XACML20

Back to top