[Draft document posted by Bill Parducci. "This document summarizes the changes made in XACML since XACML 1.0 that appear in the XACML 2.0 specification."]
This Profile demonstrates
the use of the W3C XML-Signature Syntax and Processing Standard to provide
authentication and integrity protection for XACML schema instances. Rather than
introduce new elements or features to XACML , this
Profile provides the guidelines for using XML Signatures with XACML and is
intended to be consistent with Guidelines for using XML Signatures with the
OASIS Security Assertion Markup Language wherever possible.
This Profile provides
mechanisms for allowing a PEP to request access to a node in a hierarchical
resource, such as an XML document or a file system. It also describes how to express policies
that can apply to multiple nodes in a hierarchical resource.
This
Profile introduces three ways of specifying requests for access to multiple resources in a single request: XPath expression in resource-id, Scope Attribute in <Resource> and
Multiple <Resource> elements.
XACML <Policy> and <PolicySet>
elements may be distributed from a PAP to a PDP by
means of an LDAP repository. This Profile provides a conformant implementation
by introducing three structural object classes: xacmlTargetInfob, xacmlPolicyInfo
and xacmlPolicyInstance. The
Profile provides the four normative policy behaviors necessary to implement the
Profile: Policy posting, Policy
retrieval, Policy validation and Policy combination.
The XACML Privacy Profile introduces two
entities: Custodian and Owner. The profile provides standard
attributes and a standard <Rule>
element for enforcing the purpose for which Owner information is collected and
used by a Custodian.
To establish the applicability to XACML as a general purpose
access control language the RBAC Profile was created. The intent is to provide
a framework that demonstrates XACML polices that are
compliant with the NIST definition of Role Based Access Control. The RBAC
Profile introduces a number of new terms or concepts: junior role, multi-role permissions, RBAC, role, senior role.
In an attempt to provide a common mechanism for the
assertion and protocol mechanisms needed by XACML the XACML-SAML Profile was
created. This Profile defines how to use SAML 2.0 to protect, transport, and
request XACML 2.0 schema instances and other information needed by an XACML
implementation. There are 6 types of statements used in this profile: AttributeQuery, AttributeStatement,
XACMLPolicyQuery,
XACMLPolicyStatement,
XACMLAuthorizationDecisionQuery
and XACMLAuthorizationDecisionStatement.
To better
define the behaviors of systems that implement the XACML specification three
different PEP profiles have been defined as follows: Base PEP, Deny-biased PEP
and Permit-biased PEP.
The anySubject,
anyResource,
and anyAction
elements have been removed from the XACML specification. If no target match is specified for Subject,
then the policy or rule will apply to any Subject. This same logic also now applies to Resource,
Action, and Environment matching.
The <PolicySetIdReference>
element extends the xs:anyURI
type with the following attributes: Version,
EarliestVersion
and LatestVersion.
This element has been extended in the same manner as <PolicySetReference>. In both cases all version
references use a simplified version of regular expressions for matching
capabilities.
This new element conveys information about the attributes
required for policy evaluation that were missing from the request context: AttributeValue, AttributeId and DataType. This
element allows the PDP to indicate which necessary attributes were missing in
the request.
Targets now contain the <Environments> element which
in turn contains a disjunctive sequence of <Environment> elements.
XACML now provides for macro-like functionality via the <VariableReference> element. Any place where a VariableReference
occurs it has the effect of representing an expression; once evaluated to a
particular value it may be cached for multiple references without consequence.
XACML now addresses the general behaviors associated with
combining algorithms that take parameters.
The XACML specification now provides several new functions: time-in-range, string-concatenate, url-subtree-match, ipAddress-match
and dnsName-match.
The XACML specification now provides several new datatypes: ipAddress, dnsName and xpath-expression.
The XACML specification as made the functions ordered-deny-overrides and ordered-deny-overrides normative.