eXtensible Access Control Markup Language

eXtensible Access Control Markup Language
Name	eXtensible Access Control Markup Language
Abbreviation	XACML
Developer	OASIS
Initial release	2001
Latest release	3.0 (2013)
Type	Access control policy language
License	OASIS

eXtensible Access Control Markup Language eXtensible Access Control Markup Language is an XML-based policy language for expressing access control rules, policy decision requests, and responses. It enables interoperability among systems from vendors such as IBM, Oracle Corporation, HP Inc., Microsoft, and Amazon (company) by providing standardized formats used in deployments involving National Institute of Standards and Technology, European Union Agency for Cybersecurity, and enterprise programs. XACML is governed by the OASIS consortium and has influenced standards adopted by organizations including Drummond Group and initiatives from World Wide Web Consortium collaborators.

Overview

XACML defines a declarative, attribute-based access control model that separates policy decision from policy enforcement; this design was informed by work at Sun Microsystems, Carnegie Mellon University, and researchers affiliated with MIT. The language specifies a Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Administration Point (PAP), and Policy Information Point (PIP), concepts comparable in scope to models used by National Security Agency projects, European Commission procurement specifications, and commercial offerings from Cisco Systems and Red Hat, Inc.. Its syntax builds on Extensible Markup Language foundations and complements web standards such as those from the World Wide Web Consortium and IETF working groups.

History and Development

XACML originated in early work driven by OASIS committees in the late 1990s and early 2000s, with major releases in 2003, 2005, and version 3.0 in 2013. Influential contributors and implementers include teams at Sun Microsystems, IBM, and academics at Stanford University and University of Cambridge. Standardization efforts intersected with policy initiatives from European Union procurement frameworks and U.S. federal guidelines from NIST; this coordination led to profiles and extensions adopted by vendors such as Oracle Corporation and projects supported by Apache Software Foundation and Eclipse Foundation.

Architecture and Core Concepts

The XACML architecture specifies PEP, PDP, PAP, and PIP roles, mirroring enforcement architectures seen in systems from Microsoft and Red Hat, Inc. Policy structure uses PolicySet, Policy, Rule, Target, Condition, and Obligation elements described in XML schema documents akin to schemas published by W3C. Request/response interactions use attributes representing subjects, resources, actions, and environment, aligning with attributes used in implementations by AWS, Google Cloud Platform, and VMware. Combining algorithms (deny-overrides, permit-overrides, first-applicable) allow policy administrators from organizations like NATO and UN contractors to compose policies in federated environments. XACML also includes obligations and advice constructs that map to enforcement behaviors used by Cisco Systems and identity providers such as Okta and Ping Identity.

Profiles and Standards Compliance

XACML 3.0 defined multiple profiles to interoperate with profiles and protocols from SAML, Security Assertion Markup Language integrations used by European Commission institutions, and REST/JSON usage patterns favored by Google LLC and Amazon Web Services. Profiles cover RBAC mapping influenced by NIST publications, JSON Profile implementations used in cloud offerings from IBM and Microsoft Azure, and delegation profiles applied in projects with European Space Agency procurement. Compliance testing and conformance suites have been provided by groups including OASIS test committees and independent verification labs such as Drummond Group.

Implementations and Tools

Open-source implementations and commercial products implement XACML PDPs and PEPs; notable projects include efforts from Axiomatics AB, AuthZForce from Générer, Apache Software Foundation–related components, and libraries maintained by Red Hat, Inc. and ForgeRock. Tooling includes policy editors, debuggers, and test harnesses produced by vendors like IBM and community projects in ecosystems around Eclipse Foundation and GitHub. Integrations exist for identity management platforms from Okta, Ping Identity, and ForgeRock, as well as cloud-native gateways from Kong Inc. and NGINX, Inc..

Use Cases and Applications

XACML is used in enterprise access control for financial services (banks such as JPMorgan Chase and Goldman Sachs), healthcare systems aligned with standards from World Health Organization and regulatory regimes influenced by European Commission directives, and government systems following guidance from NIST and national cybersecurity centers like CISA. It supports attribute-based access control in multi-tenant cloud platforms from Amazon Web Services, Microsoft Azure, and Google Cloud Platform and is applied in education platforms associated with Harvard University and Stanford University research projects. Delegation, policy-based routing, and consent management scenarios use XACML alongside standards from IETF and the World Wide Web Consortium.

Security and Privacy Considerations

Security considerations include protecting PDP and PAP endpoints, securing attribute sources such as identity providers Okta and Ping Identity, and ensuring policy integrity in supply chains involving vendors like IBM and Oracle Corporation. Privacy concerns involve attribute minimization practices discussed in forums with European Data Protection Board and compliance with laws like General Data Protection Regulation where applicable. Threat modeling and mitigation strategies reference guidance from NIST publications and incident response practices used by CERT Coordination Center and national cyber agencies.

Category:Computer security standards