[Draft document posted by Bill Parducci. "This document summarizes the changes made in XACML since XACML 1.0 that appear in the XACML 2.0 specification."]

Changes Since XACML 1.0


Digital Signature

This Profile demonstrates the use of the W3C XML-Signature Syntax and Processing Standard to provide authentication and integrity protection for XACML schema instances. Rather than introduce new elements or features to XACML , this Profile provides the guidelines for using XML Signatures with XACML and is intended to be consistent with Guidelines for using XML Signatures with the OASIS Security Assertion Markup Language wherever possible.

Hierarchical Resources

This Profile provides mechanisms for allowing a PEP to request access to a node in a hierarchical resource, such as an XML document or a file system. It also describes how to express policies that can apply to multiple nodes in a hierarchical resource.

Multiple Resources

This Profile introduces three ways of specifying requests for access to multiple resources in a single request: XPath expression in resource-id, Scope Attribute in <Resource> and Multiple <Resource> elements.


XACML <Policy> and <PolicySet> elements may be distributed from a PAP to a PDP by means of an LDAP repository. This Profile provides a conformant implementation by introducing three structural object classes: xacmlTargetInfob, xacmlPolicyInfo and xacmlPolicyInstance. The Profile provides the four normative policy behaviors necessary to implement the Profile: Policy posting, Policy retrieval, Policy validation and Policy combination.


The XACML Privacy Profile introduces two entities: Custodian and Owner. The profile provides standard attributes and a standard <Rule> element for enforcing the purpose for which Owner information is collected and used by a Custodian.


To establish the applicability to XACML as a general purpose access control language the RBAC Profile was created. The intent is to provide a framework that demonstrates XACML polices that are compliant with the NIST definition of Role Based Access Control. The RBAC Profile introduces a number of new terms or concepts: junior role, multi-role permissions, RBAC, role, senior role.

SAML Integration

In an attempt to provide a common mechanism for the assertion and protocol mechanisms needed by XACML the XACML-SAML Profile was created. This Profile defines how to use SAML 2.0 to protect, transport, and request XACML 2.0 schema instances and other information needed by an XACML implementation. There are 6 types of statements used in this profile: AttributeQuery, AttributeStatement, XACMLPolicyQuery, XACMLPolicyStatement, XACMLAuthorizationDecisionQuery and XACMLAuthorizationDecisionStatement.

PEP Behavior

To better define the behaviors of systems that implement the XACML specification three different PEP profiles have been defined as follows: Base PEP, Deny-biased PEP and Permit-biased PEP.

Schematic Changes


The anySubject, anyResource, and anyAction elements have been removed from the XACML specification. If no target match is specified for Subject, then the policy or rule will apply to any Subject. This same logic also now applies to Resource, Action, and Environment matching.



The <PolicySetIdReference> element extends the xs:anyURI type with the following attributes: Version, EarliestVersion and LatestVersion.


This element has been extended in the same manner as <PolicySetReference>. In both cases all version references use a simplified version of regular expressions for matching capabilities.


This new element conveys information about the attributes required for policy evaluation that were missing from the request context: AttributeValue, AttributeId and DataType. This element allows the PDP to indicate which necessary attributes were missing in the request.


Targets now contain the <Environments> element which in turn contains a disjunctive sequence of <Environment> elements.

Macro Capabilities

Expression substitution groups

XACML now defines substitution groups for expression evaluation using the <Expression> element.


XACML now provides for macro-like functionality via the <VariableReference> element. Any place where a VariableReference occurs it has the effect of representing an expression; once evaluated to a particular value it may be cached for multiple references without consequence.

Combining Algorithm Parameters

XACML now addresses the general behaviors associated with combining algorithms that take parameters.

New Functional Vocabulary


The XACML specification now provides several new functions: time-in-range, string-concatenate, url-subtree-match, ipAddress-match and dnsName-match.


The XACML specification now provides several new datatypes: ipAddress, dnsName and xpath-expression.


The XACML specification as made the functions ordered-deny-overrides and ordered-deny-overrides normative.