OASIS XACML v3.0
Title: eXtensible Access Control Markup Language (XACML) Version 3.0
Category: Access Control
Date: 22 January 2013
Creator: OASIS eXtensible Access Control Markup Language (XACML) TC
URL: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Description: XACML is a general-purpose access control policy language. This means that it provides a syntax (defined in XML) for managing access to resources based on applicable policies combined with asserted facts about (“attributes” of) an authenticated user, the type of access requested, the protected information resource, and the environment or context of the transaction. XACML is used to implement attribute-based access control (ABAC.)
Privacy: Privacy-enhancing.—ABAC as implemented with XACML enhances privacy by: (1) eliminating the need for relying-party systems to maintain user accounts with names and other identifying information; (2) supporting implementations that require only the minimum user information required by an access policy; and (3) enabling consistent and detailed compliance with policies on access to privacy-sensitive data of relying parties.
Security: Secure and resilient.—XACML lets custodians of protected information resources enforce compliance with all policies applicable to access to a protected resource at an arbitrarily precise level, e.g, an individual row in a database or even individual data elements within a record. This can dramatically reduce the damage done by malevolent insiders or other attackers who have obtained an authentication credential.
Interoperability: Interoperable.—Via Profiles (nominated separately), XACMLv3 is used in conjunction with SAMLv2, JSON and REST. Implementers have also deployed XACML-based authorization solutions that leverage User attributes in OAUTH2 tokens.
Terms: