The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

NEWS
Cover Stories
Articles & Papers
Press Releases

CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG

TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps

EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Created: October 05, 2004.
News: Cover StoriesPrevious News ItemNext News Item

OASIS Extensible Access Control Markup Language TC Approves XACML 2.0 Specifications.

Members of the OASIS Extensible Access Control Markup Language (XACML) Technical Committee have approved several Version 2.0 documents as Committee Drafts. The approved CD documents are available for public review through November 4, 2004.

The motivation behind XACML is to express the well-established ideas in the field of access- control policy (e.g., rules, policies, policy sets, subjects, decision requests, authorization decisions,) using an extension language of XML. According to the Core specification, "there is a pressing need for a common language for expressing security policy. If implemented throughout an enterprise, a common policy language allows the enterprise to manage the enforcement of all the elements of its security policy in all the components of its information systems. Managing security policy may include some or all of the following steps: writing, reviewing, testing, approving, issuing, combining, analyzing, modifying, withdrawing, retrieving and enforcing policy."

The XACML specification thus "enables the use of arbitrary attributes in policies, role-based access control, security labels, time/date-based policies, indexable policies, 'deny' policies, and dynamic policies — all without requiring changes to the applications that use XACML. Adoption of XACML across vendor and product platforms should provide the opportunity for organizations to perform access and access policy audits directly across such systems."

The XACML 2.0 Specification Set includes a normative subset of eleven documents, including four XML Schemas and seven prose specifications. The complete distribution for public review is a ZIP archive with sixty-some files, including non-normative formats and examples.

The principal features of XACML are documented in the core Extensible Access Control Markup Language (XACML) Version 2.0 specification, supported by the Core Policy Schema and Core Context Schema. This document provides the model descriptions for data-flow, XACML context (canonical representation of a decision request and an authorization decision), and policy language (rule, policy, policy set).

A SAML 2.0 Profile of XACML "defines a profile for the use of the OASIS Security Assertion Markup Language (SAML) Version 2.0 to carry XACML 2.0 policies, policy queries and responses, authorization decisions, and authorization decision queries and responses."

The XML Digital Signature Profile of XACML draft documents use of the W3C XML-Signature Syntax and Processing Standard in providing authentication and integrity protection for XACML schema instances.

The Privacy Policy Profile of XACML document references certain principes in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The profile "provides standard attributes and a standard <Rule> element for enforcing OECD principles related to the purpose for which personally identifiable information is collected and used.

A Hierarchical Resource Profile of XACML specification "provides a profile for the use XACML with resources that are structured as hierarchies. The profile addresses resources represented as nodes in XML documents or represented in some non-XML way. The profile covers identifying nodes in a hierarchy, requesting access to nodes in a hierarchy, and specifying policies that apply to nodes in a hierarchy."

The Multiple Resource Profile of XACML specification defines a profile for requesting access to more than one resource in a single XACML Request Context, or for requesting a single response to a request for an entire hierarchy.

The Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML specification defines a profile for the use of XACML 2.0 in expressing policies that use role based access control (RBAC). It extends the XACML Profile for RBAC Version 1.0 to include a recommended AttributeId for roles, but reduces the scope to address only 'core' and 'hierarchical' RBAC."

OASIS Sponsor Members active in the XACML TC work include BEA Systems, Booz Allen Hamilton, Computer Associates, Entrust, GlueCode Software, IBM, OpenNetwork, and Sun Microsystems. Other participants include individuals affiliated with Argonne National Laboratory, ComBrio Inc., Computer Associates, National Center for Supercomputing Applications, OpenNetwork, Syracuse University, and Veterans Health Administration.

Bibliographic Information

  • eXtensible Access Control Markup Language (XACML) Version 2.0. Edited by Tim Moses (Entrust). Committee Draft Version 02. 30-September-2004. Document identifier: 'access_control-xacml-2.0-core-spec-cd-02'. 142 pages. With Core Policy Schema and Core Context Schema. XACML Committee members: Anne Anderson (Sun Microsystems), Anthony Nadalin (IBM), Bill Parducci (GlueCode Software), Daniel Engovatov (BEA Systems), Ed Coyne (Veterans Health Administration), Frank Siebenlist (Argonne National Labs), Hal Lockhart (BEA Systems), Michael McIntosh (IBM), Michiharu Kudo (IBM), Polar Humenn (Self), Ron Jacobson (Computer Associates), Seth Proctor (Sun Microsystems), Simon Godik (GlueCode Software), Steve Anderson (OpenNetwork), Tim Moses (Entrust).

  • SAML 2.0 Profile of XACML. Edited by Anne Anderson (Sun Microsystems) and Hal Lockhart (BEA). XACML Committee Draft. Version 01. 16-September-2004. Document identifier: 'access_control-xacml-2.0-saml_profile-spec-cd-01'. 22 pages. With SAML 2.0 Assertion Extension Schema and SAML 2.0 Protocol Extension Schema.

    "This specification defines a profile for the use of the OASIS Security Assertion Markup Language (SAML) Version 2.0 to carry XACML 2.0 policies, policy queries and responses, authorization decisions, and authorization decision queries and responses. It also describes the use of SAML 2.0 Attribute Assertions with XACML..."

  • XML Digital Signature Profile of XACML. Edited by Anne Anderson (Sun Microsystems). XACML Committee Draft. Version 01. 16-September-2004. Document identifier: 'access_control-xacml-2.0-dsig_profile-spec-cd-01'. 9 pages.

    This document provides a profile for use of the W3C XML-Signature Syntax and Processing Standard in providing authentication and integrity protection for OASIS eXtensible Access Control Markup Language (XACML) schema instances... A digital signature is useful for authentication and integrity protection only if the signed information includes a specification of the identity of the signer and a specification of the period during which the signed data object is to be considered valid. XACML itself does not define the format for such information, as XACML is intended to use other standards for functions other than the actual specification and evaluation of access control policies, requests, and responses. One appropriate format that has been defined elsewhere is SAML. This profile recommends use of XACML schema instances in SAML Assertions, Requests, and Responses, which may then be digitally signed as specified in the SAML specification. This profile also notes various canonicalization issues that must be resolved in order for signed documents to be verified by a relying party..."

  • Privacy Policy Profile of XACML. Edited by Tim Moses (Entrust). XACML Committee Draft. Version 01. 16-September-2004. Document identifier: 'access_control-xacml-2.0-privacy_profile-spec-cd-01'. 7 pages. Defines 'Custodian" (the entity to which personally-identifiable information is entrusted) and 'Owner' (the subject of personally-identifiable information), and specifies attributes to support privacy principles in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).

  • Hierarchical Resource Profile of XACML. Edited by Anne Anderson (Sun Microsystems). XACML Committee Draft. Version 01. 30-September-2004. Document identifier: 'access_control-xacml-2.0-hier_profile-spec-cd-01'. 19 pages.

    It is often the case that a resource is organized as a hierarchy. Examples include file systems, XML documents, and organizations. This Profile specifies how XACML can provide access control for a resource that is organized as a hierarchy... In this Profile, a resource organized as a hierarchy may be a 'tree' (a hierarchy with a single root) or a 'forest' (a hierarchy with multiple roots), but the hierarchy may not have cycles. Another term for these two types of hierarchy is 'Directed Acyclic Graph' or 'DAG'. All such resources are called hierarchical resources in this Profile. An XML document is always structured as a 'tree'. Other types of hierarchical resources, such as files in a file system that supports links, may be structured as 'forests'. In this Profile, the nodes in a hierarchical resource are treated as individual resources. An authorization decision that permits access to an interior node does not imply that access to its descendant nodes is permitted. An authorization decision that denies access to an interior node does not imply that access to its descendant nodes is denied..."

  • Multiple Resource Profile of XACML. Edited by Anne Anderson (Sun Microsystems). XACML Committee Draft. Version 01. 30-September-2004. Document identifier: 'access_control-xacml-2.0-mult_profile-spec-cd-01'. 15 pages.

    This Profile describes three ways in which a PEP can request authorization decisions for multiple resources in a single request context, and how the result of each such authorization decision is represented in the single response context that is returned to the PEP. This Profile also describes two ways in which a PEP can request a single authorization decision in response to a request for all the nodes in a hierarchy. Support for each of the mechanisms described in this Profile is optional for compliant XACML implementations."

  • Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML, Version 2.0. Edited by Anne Anderson (Sun Microsystems). XACML Committee Draft. Version 01. 30-September-2004. Document identifier: 'access_control-xacml-2.0-rbac_profile1-spec-cd-01'. 24 pages.

XACML's Policy Language Requirements

As presented in the Core eXtensible Access Control Markup Language (XACML) Version 2.0 specification (Section 2.1), the basic requirements of a policy language for expressing information system security policy [to be met by the XACML language] include:

  • To provide a method for combining individual rules and policies into a single policy set that applies to a particular decision request
  • To provide a method for flexible definition of the procedure by which rules and policies are combined
  • To provide a method for dealing with multiple subjects acting in different capacities
  • To provide a method for basing an authorization decision on attributes of the subject and resource
  • To provide a method for dealing with multi-valued attributes
  • To provide a method for basing an authorization decision on the contents of an information resource
  • To provide a set of logical and mathematical operators on attributes of the subject, resource and environment
  • To provide a method for handling a distributed set of policy components, while abstracting the method for locating, retrieving and authenticating the policy components
  • To provide a method for rapidly identifying the policy that applies to a given action, based upon the values of attributes of the subjects, resource and action
  • To provide an abstraction-layer that insulates the policy-writer from the details of the application environment
  • To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement

Principal references:


Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI: http://xml.coverpages.org/ni2004-10-05-a.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org