A version 04 draft of the XACML Profile for Web-Services specification has been produced by members of the OASIS Extensible Access Control Markup Language TC. Also referenced as 'WSPL', the specification "defines a profile of XACML that enables it to be used for describing policy associated with Web service end-points and using them in a successful invocation."

Background to the WSPL design is supplied in a Web-Services Policy Language Use Cases and Requirements document, summarized in the version 04 spec: "Access to a standard-conformant Web-service end-point involves a number of aspects, such as: reliable messaging, privacy, authorization, trust, authentication and cryptographic security. Each aspect addresses a number of optional features and parameters, which must be coordinated between communicating end-points if the service invocation is to be successful. The provider and consumer of the service likely have different preferences amongst the available choices of features and parameters. Therefore, a mechanism is required by which end-points may describe the mandatory features of service invocation, optional features that they support and the order of their preference amongst such features. Additionally, a procedure is required for combining and reducing these feature descriptions into a service invocation instance that respects both end-points' requirements. According to the WSPL profile, an XACML <PolicySet> element is associated with a concrete Web-service end-point definition."

Appendix A of the specification provides an example from the realm of data-rate allocation; it illustrates the procedure for combining and reducing XACML policies that conform with the WSPL profile using two simple policy instances.

Bibliographic Information

XACML Profile for Web-Services. Edited by Tim Moses (Entrust). Contributing authors: Anne Anderson (Sun Microsystems), Seth Proctor (Sun Microsystems), and Simon Godik (Overxeer). XACML TC Working draft, Version 04. September 29, 2003. Document identifier: 'draft-xacml-wspl-04]. Comments to xacml-comment@lists.oasis-open.org. 41 pages.

Web-Services Policy Language Use Cases and Requirements. Edited by Tim Moses (Entrust). Contributors: Anne Anderson (Sun Microsystems), Frank Siebenlist (Argonne National Labs), Frederick Hirsch (Nokia Mobile Phone), Ron Monzillo (Sun Microsystems), and Simon Godik (Overxeer). XACML TC Working draft version 04. April 16, 2003. 23 pages. "This working draft defines use-cases and requirements for negotiating a variety of forms of policy in the Web-services architecture. The document explores the requirements for policy expression in the Web-services application domain. Several applications of policy were considered in preparing this analysis, including: cryptographic-security policy, authentication policy, authorization policy, privacy policy, reliable-messaging policy, transaction-processing policy, and trust policy."

From the WSPL Model Description

In this profile, an XACML <PolicySet> element is associated with a concrete Web-service end-point definition. To that end, its <Target> element must identify the WSDL 1.1 port whose features and parameters it describes. In the case that a policy must be targeted more finely than a port, a second level of <PolicySet> whose <Target> element identifies the port's operations and messages must be inserted. The <PolicySet> elements must contain <Policy> elements that define the objective of each aspect of policy associated with the port.

An XACML <Policy> element is associated with a single aspect of an end-point policy. The <Target> element of a <Policy> must identify the one objective of the end-point policy to which it applies. Developers of Web-service specifications that make use of XACML must define a name and type for its objective. In order for an end-point to be successfully invoked, all of its objectives must be achieved by the service invocation. The <Policy> element must contain <Rule> elements that define acceptable alternative strategies for achieving the objective.

An XACML <Rule> element must describe one alternative strategy for achieving an objective. At least one strategy must be successful if its objective is to be achieved. The lexical order of the strategies in the objective should reflect the policy-writer's preferences. For example, the policy writer's preferred strategy should appear first. The <Rule> element must contain a set of <Apply> elements that define predicates.

An XACML <Apply> element must contain exactly one predicate. All predicates must be satisfied by a service invocation if the associated strategy is to be successful. An <Apply> element shall not contain another <Apply> element..." [adapted from the Version 04 spec]