Skip the navigation
)

QuickStudy: Extensible Access Control Markup Language (XACML)

May 19, 2003 12:00 PM ET

Computerworld - Maintaining security on their networks is critical for all companies. One primary tool that every network needs is access control—the ability to carefully define and enforce which users have what type of access to specific applications, data and devices.

When the network was contained within a single building or campus, the problem was relatively simple and generally handled by software that was hooked into the operating system. But today's networks involve interconnected segments distributed across the country and around the globe, and many of these are also joined to the public Internet.

The growing use of XML as the common mechanism for exchanging data makes it simpler and easier to find and use data from external sources. Applications can call upon automated, remotely based Web services to add new capabilities. But who's in charge? Access control has become harder to manage at the very time it's more important than ever.

One answer lies with two specialized variants of XML—Security Assertions Markup Language (SAML) and XACML. SAML defines how identity and access information is exchanged and lets organizations convey security information to one another without having to change their own internal security architectures . But SAML can only communicate information. How to use that information is where XACML comes in.

The language, which uses the same definitions of subjects and actions as SAML, offers a vocabulary for expressing the rules needed to define an organization's security policies and make authorization decisions. XACML has two basic components.

The first is an access-control policy language that lets developers specify the rules about who can do what and when. The other is a request/response language that presents requests for access and describes the answers to those queries.

XACML provides for fine-grained control of activities (such as read, write, copy, delete) based on several criteria, including the following:

  • Attributes of the user requesting access (e.g., "Only division managers and above can view this document.")

  • The protocol over which the request is made (e.g., "This data can be viewed only if it is accessed over HTTPS.")

  • The authentication mechanism (e.g., "The requester must have been authenticated using a digital device.")


Strengths

XACML was designed to replace existing, usually application-specific, proprietary access-control mechanisms. Prior to the new language, every application vendor had to create its own custom method for specifying access control, and these typically couldn't talk to one another. The first implementation of XACML was created by Sun Microsystems Inc. in Java and is available at http://sunxacml.sourceforge.net. According to Sun, XACML has a number of advantages over other access-control policy languages:

• Security administrators can describe an access-control policy once, without having to rewrite it numerous times in different application-specific languages.

• Application developers don't have to invent their own policy languages and write code to support them; they can reuse existing, standardized code.

• XACML is intended to be primarily a machine-generated language. XACML creators expect that easy-to-use tools for writing and managing XACML policies will be developed, since they can be used with many applications.

• XACML can accommodate most access-control policy needs and also support new requirements as they emerge.

• A single XACML policy can be applied to many resources. This helps avoid inconsistencies and eliminates duplication of effort in creating policies for different resources.

• With XACML, one policy can refer to another. In a large organization, for instance, a policy for a specific site might reference both a companywide policy and a country-specific policy.

History

XACML was developed by a team that included people from Entrust Inc., IBM, OpenNetworks.org, Quadrasis Inc., Sterling Commerce Inc., Sun and BEA Systems Inc.

In February, XACML was adopted as a standard by the Organization for the Advancement of Structured Information Standards.

Kay (russkay@charter.net) is a Computerworld contributing writer in Worcester, Mass.

XACML in Use
Please click on image above to view a readable version.




See additional Computerworld QuickStudies

Read more about App Development in Computerworld's App Development Topic Center.



What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
Additional Resources
Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

App Development White Papers
Workload Automation Challenges and Opportunities
This Executive Brief discusses IDC's perspective on how enterprise workload management requirements are changing and highlights the ways that workload automation solutions can...
Practice Management: Double Billing Rate and Improve Patient Services
Would you like to double your billing rate and achieve faster payment for services?

Download this customer success story to see how One Health...
Mission Critical Data Explosion and Customer Case Study
Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?

Download this customer success story to see how...
Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
Read this new eBook to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.
Database Activity Monitoring Is Evolving
Read the analyst report and learn how you can leverage the core capabilities of a DAP solution for better database security.
All App Development White Papers
App Development Webcasts
Distributed Database Security with Real-time Monitoring
View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
InfoSphere Warehouse Packs Demo
These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
Delivery Management -- Extending Lifecycle Management
Date: Wednesday, June 20, 2012, 1:00 PM EDT

Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,...
Leverage automation today to reduce IT complexity
Date: Tuesday, June 5, 2012, 2:00 PM EDT

Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific...
Redefine Expectations in the Data Center
Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three...
All App Development Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs